Docker-Images/ci/java-builder/Dockerfile

# KollectAI CI — Java Builder Image
#
# Pre-baked build environment for backend + plugin CI jobs.
# Contains: Java 21, Maven 3.9.9, Node.js + pnpm, buf CLI, OWASP NVD
# database, ORAS CLI, common dependencies.
#
# Build:
#   docker build -t 192.168.1.72/kollect-tools/ci/java-builder:latest ci/java-builder/
#
# Usage in CI:
#   container:
#     image: 192.168.1.72/kollect-tools/ci/java-builder:latest

ARG JAVA_VERSION=25
FROM eclipse-temurin:${JAVA_VERSION}-jdk-jammy

ARG MAVEN_VERSION=3.9.14
ARG OWASP_DC_VERSION=12.1.1
ARG NVD_API_KEY=""
# ─────────────────────────────────────────────────────────────────────
# System dependencies
# ─────────────────────────────────────────────────────────────────────
ARG NODE_MAJOR=24

RUN apt-get update && apt-get install -y --no-install-recommends \
        ca-certificates \
        curl \
        git \
        gnupg \
        jq \
        unzip \
    && mkdir -p /etc/apt/keyrings \
    && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
        | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
    && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" \
        > /etc/apt/sources.list.d/nodesource.list \
    && apt-get update && apt-get install -y --no-install-recommends nodejs \
    && rm -rf /var/lib/apt/lists/*

# ─────────────────────────────────────────────────────────────────────
# Maven
# ─────────────────────────────────────────────────────────────────────
ENV MAVEN_HOME=/opt/maven
ENV PATH="${MAVEN_HOME}/bin:${PATH}"

RUN curl -fsSL "https://dlcdn.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz" \
    | tar -xz -C /opt \
    && mv "/opt/apache-maven-${MAVEN_VERSION}" "${MAVEN_HOME}"

# ─────────────────────────────────────────────────────────────────────
# OWASP Dependency-Check — pre-download NVD database
#
# This is the single biggest CI time saver. The NVD database download
# takes 5-10 minutes on a cold cache. Pre-baking it into the image
# means audit jobs start with a warm database.
#
# Rebuild this image weekly to keep the NVD database fresh.
# ─────────────────────────────────────────────────────────────────────
ENV OWASP_DATA_DIR=/opt/owasp/dependency-check-data

RUN mkdir -p "${OWASP_DATA_DIR}" \
    && mvn org.owasp:dependency-check-maven:${OWASP_DC_VERSION}:update-only \
        -DdataDirectory="${OWASP_DATA_DIR}" \
        ${NVD_API_KEY:+-DnvdApiKey="${NVD_API_KEY}"} \
        -q || true

# ─────────────────────────────────────────────────────────────────────
# pnpm — via corepack (ships with Node.js)
# ─────────────────────────────────────────────────────────────────────
ARG PNPM_VERSION=10.15.0

RUN corepack enable \
    && corepack prepare "pnpm@${PNPM_VERSION}" --activate

# ─────────────────────────────────────────────────────────────────────
# ORAS CLI — for uploading artifacts to Harbor
# ─────────────────────────────────────────────────────────────────────
ARG ORAS_VERSION=1.2.2

RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \
    | tar -xz -C /usr/local/bin oras

# ─────────────────────────────────────────────────────────────────────
# buf CLI — single static binary used for `buf lint` in CI and pre-push
# parity. Backend Java codegen lives in the Maven build (protobuf-maven-
# plugin), not buf, so no protoc plugins are needed in this image.
# ─────────────────────────────────────────────────────────────────────
ARG BUF_VERSION=1.55.0

RUN curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-x86_64" \
    -o /usr/local/bin/buf \
    && chmod +x /usr/local/bin/buf

WORKDIR /workspace

# Verify installation
RUN java -version \
    && mvn -version \
    && node --version \
    && pnpm --version \
    && buf --version \
    && oras version \
    && jq --version