Updates all build and test deps that work on JDK 21

codefromthecrypt · codefromthecrypt · commit 61eea4e9232f · 2026-03-25T10:08:54.000-04:00
Matches recent changes across zipkin 3.6.0, brave 6.3.1, and
zipkin-reporter 3.5.3. Notably, Armeria 1.37.0 (Netty 4.2), Spring
Boot 3.5.12, and AWS SDK v1 1.12.797 (final EOL release) and v2
2.42.20.

Also updates build infrastructure: Maven 3.9.14, ubuntu-24.04
runners, pinned trivy v0.35.0, license-maven-plugin 5.0.0,
tonistiigi/binfmt for multi-arch, and docker compose v2 syntax.

Signed-off-by: Adrian Cole &lt;adrian@tetrate.io&gt;
diff --git a/.github/workflows/create_release.yml b/.github/workflows/create_release.yml
@@ -11,7 +11,7 @@ on:
 
 jobs:
   create_release:
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka noble
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v6
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -15,7 +15,7 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka noble
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v6
diff --git a/.github/workflows/docker_push.yml b/.github/workflows/docker_push.yml
@@ -11,7 +11,7 @@ on:
 
 jobs:
   docker_push:
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka noble
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v6
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -3,7 +3,6 @@ name: security
 
 # We don't scan documentation-only commits.
 on:  # yamllint disable-line rule:truthy
-  workflow_dispatch: # trigger ad-hoc runs of this action
   push:  # non-tagged pushes to master
     branches:
       - master
@@ -24,7 +23,7 @@ on:  # yamllint disable-line rule:truthy
 jobs:
   security:
     name: security
-    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
     # skip commits made by the release plugin
     if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
     steps:
@@ -37,8 +36,11 @@ jobs:
           key: ${{ runner.os }}-trivy
           restore-keys: ${{ runner.os }}-trivy
       - name: Run Trivy vulnerability and secret scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@v0.35.0
         id: trivy
+        env:  # See https://github.com/aquasecurity/trivy/discussions/7668
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
         with:
           scan-type: 'fs'
           scan-ref: '.'  # scan the entire repository
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -18,7 +18,7 @@ on:
 jobs:
   test-javadoc:
     name: Test JavaDoc Builds
-    runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04 # newest available distribution, aka noble
     if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
     steps:
       - name: Checkout Repository
@@ -39,7 +39,7 @@ jobs:
 
   test:
     name: test (JDK ${{ matrix.java_version }})
-    runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish
+    runs-on: ubuntu-24.04 # newest available distribution, aka noble
     if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
     strategy:
       fail-fast: false  # don't fail fast as sometimes failures are operating system specific
diff --git a/.mvn/wrapper/maven-wrapper.jar b/.mvn/wrapper/maven-wrapper.jar
diff --git a/.mvn/wrapper/maven-wrapper.properties b/.mvn/wrapper/maven-wrapper.properties
@@ -1,20 +1,4 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-wrapperVersion=3.3.2
+wrapperVersion=3.3.4
 distributionType=bin
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip
-wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.14/apache-maven-3.9.14-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.4/maven-wrapper-3.3.4.jar
diff --git a/build-bin/docker-compose-zipkin-aws-unauthenticated.yml b/build-bin/docker-compose-zipkin-aws-unauthenticated.yml
@@ -1,4 +1,3 @@
-version: "3.6"
 services:
   # TODO: this will pass because X-Ray just sends UDP at the moment.
   # Authenticate and use the other modules: sqs,kinesis,elasticsearch
diff --git a/build-bin/docker/configure_docker_push b/build-bin/docker/configure_docker_push
@@ -12,13 +12,6 @@
 
 set -ue
 
-# Verify we are on an arch that can publish multi-arch images
-arch=$($(dirname "$0")/docker_arch)
-if [ "${arch}" != "amd64" ]; then
-  >&2 echo "multiarch/qemu-user-static doesn't support arch ${arch}"
-  exit 1
-fi
-
 # Enable experimental features on the server (multi-arch)
 echo '{ "experimental":true, "registry-mirrors": ["https://mirror.gcr.io"] }' | sudo tee /etc/docker/daemon.json
 
@@ -38,11 +31,9 @@ if [ -n "${DOCKERHUB_USER:-}" ]; then
 fi
 
 # Enable execution of different multi-architecture containers by QEMU and binfmt_misc
-# See https://github.com/multiarch/qemu-user-static
+# See https://github.com/tonistiigi/binfmt
 #
 # Mirrored image use to avoid docker.io pulls:
-# docker tag multiarch/qemu-user-static:7.2.0-1 ghcr.io/openzipkin/multiarch-qemu-user-static:latest
+# docker buildx imagetools create --tag ghcr.io/openzipkin/tonistiigi-binfmt-qemu:latest tonistiigi/binfmt:qemu-v10.2.1-65
 #
-# Note: This image only works on x86_64/amd64 architecture.
-# See: https://github.com/multiarch/qemu-user-static#supported-host-architectures
-docker run --rm --privileged ghcr.io/openzipkin/multiarch-qemu-user-static --reset -p yes
+docker run --privileged --rm ghcr.io/openzipkin/tonistiigi-binfmt-qemu --install all
diff --git a/build-bin/docker/docker_args b/build-bin/docker/docker_args
@@ -41,11 +41,15 @@ fi
 #
 # This is not required to be a base (FROM scratch) image like ghcr.io/openzipkin/alpine:3.12.3
 # See https://docs.docker.com/glossary/#parent-image
+if [ -n "${DOCKER_BUILD_IMAGE}" ]; then
+  docker_args="${docker_args} --build-arg docker_build_image=${DOCKER_BUILD_IMAGE}"
+fi
+
 if [ -n "${DOCKER_PARENT_IMAGE}" ]; then
   docker_args="${docker_args} --build-arg docker_parent_image=${DOCKER_PARENT_IMAGE}"
 fi
 
-# When non-empty, becomes the build-arg alpine_version. e.g. "3.12.3"
+# When non-empty, becomes the build-arg alpine_version. e.g. "3.23.3"
 # Used to align base layers from https://github.com/orgs/openzipkin/packages/container/package/alpine
 if [ -n "${ALPINE_VERSION}" ]; then
   docker_args="${docker_args} --build-arg alpine_version=${ALPINE_VERSION}"
diff --git a/build-bin/docker/docker_test_image b/build-bin/docker/docker_test_image
@@ -11,9 +11,9 @@
 
 set -ue
 
-# export this variable so that docker-compose can use it
+# export this variable so that docker compose can use it
 export DOCKER_IMAGE=${1?full docker_tag is required. Ex openzipkin/zipkin:test}
-# The two options are to run a single container of the image, or docker-compose which includes it.
+# The two options are to run a single container of the image, or docker compose which includes it.
 docker_compose_file=${2:-build-bin/docker-compose-$(echo ${DOCKER_IMAGE}| sed 's~.*/\(.*\):.*~\1~g').yml}
 docker_container=${3:-sut}
 
@@ -30,8 +30,8 @@ fi
 if [ "${health_rc}" = "1" ] || ! build-bin/docker/docker_block_on_health ${docker_container}; then
   >&2 echo "*** Failed waiting for health of ${docker_container}"
 
-  # Sadly, we can't `docker-compose inspect`. This means we may not see the inspect output of the
-  # container that failed in docker-compose until this is revised to work around compose/issues/4155
+  # Sadly, we can't `docker compose inspect`. This means we may not see the inspect output of the
+  # container that failed in docker compose until this is revised to work around compose/issues/4155
   docker inspect --format='{{json .State.Health.Log}}' ${docker_container} || true
 
   # Log any containers output to console before we remove them.
diff --git a/build-bin/maven/maven_build b/build-bin/maven/maven_build
@@ -7,9 +7,10 @@
 set -ue
 
 export MAVEN_OPTS="$($(dirname "$0")/maven_opts)"
+maven_goal=${MAVEN_GOAL:-package}
 if [ -x ./mvnw ]; then alias mvn=${PWD}/mvnw; fi
 
 (
   if [ "${MAVEN_PROJECT_BASEDIR:-.}" != "." ]; then cd ${MAVEN_PROJECT_BASEDIR}; fi
-  mvn -T1C -q --batch-mode -DskipTests package "$@"
+  mvn -T1C -q --batch-mode -DskipTests "${maven_goal}" "$@"
 )
diff --git a/build-bin/maven/maven_unjar b/build-bin/maven/maven_unjar
@@ -58,7 +58,7 @@ fi
 
 if ! test -f ${artifact_id}.jar && [ ${is_release} = "true" ]; then
   mvn_get="mvn -q --batch-mode -Denforcer.fail=false \
-  org.apache.maven.plugins:maven-dependency-plugin:3.8.1:get \
+  org.apache.maven.plugins:maven-dependency-plugin:3.10.0:get \
   -Dtransitive=false -DgroupId=${group_id} -DartifactId=${artifact_id} -Dversion=${version}"
 
   if [ -n "${classifier}" ]; then
diff --git a/build-bin/test b/build-bin/test
@@ -4,7 +4,7 @@
 #
 # See [README.md] for an explanation of this and how CI should use it.
 echo "Running Maven tests and integration tests..."
-./mvnw -T1C -nsu verify
+./mvnw -T1C -nsu verify "$@"
 
 echo "Building Docker image..."
 export RELEASE_FROM_MAVEN_BUILD=true
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -4,7 +4,7 @@
 #
 
 # zipkin version should match zipkin.version in /pom.xml
-ARG zipkin_version=3.5.0
+ARG zipkin_version=3.6.0
 
 # java_version is used during the installation process to build or download the module jar.
 #
diff --git a/module/pom.xml b/module/pom.xml
@@ -92,6 +92,17 @@
       <version>${armeria.version}</version>
       <scope>provided</scope>
     </dependency>
+    <!-- Armeria's transitive Netty deps are runtime scope; we compile against them -->
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-buffer</artifactId>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-common</artifactId>
+      <scope>provided</scope>
+    </dependency>
     <dependency>
       <artifactId>aws-java-sdk-core</artifactId>
       <groupId>com.amazonaws</groupId>
@@ -133,7 +144,7 @@
           <classifier>module</classifier>
           <!-- https://github.com/spring-projects/spring-boot/issues/3426 transitive exclude doesn't work -->
           <excludeGroupIds>
-            ${zipkin.groupId},org.springframework.boot,org.springframework,com.fasterxml.jackson.core,com.google.auto.value,com.google.code.gson,org.reactivestreams,com.google.code.findbugs,javax.annotation,org.slf4j,io.netty,io.micrometer,org.hdrhistogram,org.latencyutils,${armeria.groupId},javax.inject,com.fasterxml.jackson.datatype,com.aayushatharva.brotli4j,commons-logging
+            ${zipkin.groupId},org.springframework.boot,org.springframework,com.fasterxml.jackson.core,com.google.auto.value,com.google.code.gson,org.reactivestreams,com.google.code.findbugs,javax.annotation,org.slf4j,io.netty,io.micrometer,org.hdrhistogram,org.latencyutils,${armeria.groupId},javax.inject,com.fasterxml.jackson.datatype,com.aayushatharva.brotli4j,commons-logging,org.jspecify
           </excludeGroupIds>
           <excludes>
             <!-- zipkin-server depends on armeria and its grpc protocol-->
diff --git a/mvnw b/mvnw
diff --git a/mvnw.cmd b/mvnw.cmd
diff --git a/pom.xml b/pom.xml

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`		`-version: "3.6"`
`2`	`1`	`services:`
`3`	`2`	`# TODO: this will pass because X-Ray just sends UDP at the moment.`
`4`	`3`	`# Authenticate and use the other modules: sqs,kinesis,elasticsearch`