GoogleContainerTools
diff --git a/‎.github/workflows/update-deb-package-non-snapshots.yml‎
Lines changed: 72 additions & 0 deletions b/‎.github/workflows/update-deb-package-non-snapshots.yml‎
Lines changed: 72 additions & 0 deletions
diff --git a/‎MODULE.bazel.lock‎
Lines changed: 4 additions & 3 deletions b/‎MODULE.bazel.lock‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎java/java.bzl‎
Lines changed: 26 additions & 18 deletions b/‎java/java.bzl‎
Lines changed: 26 additions & 18 deletions
diff --git a/‎knife‎
Lines changed: 29 additions & 14 deletions b/‎knife‎
Lines changed: 29 additions & 14 deletions
diff --git a/‎private/repos/deb/deb.MODULE.bazel‎
Lines changed: 2 additions & 1 deletion b/‎private/repos/deb/deb.MODULE.bazel‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎private/repos/deb/trixie_adoptium.lock.json‎
Lines changed: 93 additions & 0 deletions b/‎private/repos/deb/trixie_adoptium.lock.json‎
Lines changed: 93 additions & 0 deletions
diff --git a/‎private/repos/deb/trixie_adoptium.yaml‎
Lines changed: 17 additions & 0 deletions b/‎private/repos/deb/trixie_adoptium.yaml‎
Lines changed: 17 additions & 0 deletions
@@ -0,0 +1,72 @@
+name: update-non-snapshots
+on:
+  # will send emails to last editor of this cron syntax (distroless-bot)
+  schedule:
+    - cron: "35 20 * * *"
+  # allow this workflow to be manually run
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v6
+        with:
+          go-version: "1.20"
+
+      - name: Update non-snapshots
+        run: ./knife update-non-snapshots
+
+      - name: Check for changes
+        run: |
+          git status
+          if [[ $(git status --porcelain) ]]; then 
+            echo "DISTROLESS_DIFF=true" >> "$GITHUB_ENV"
+          else
+            echo "No changes detected"
+            exit 0
+          fi
+
+      - name: Run update lockfile
+        if: env.DISTROLESS_DIFF
+        run: bazel mod deps --lockfile_mode=update
+
+      - name: Create commits
+        if: env.DISTROLESS_DIFF
+        id: create-commits
+        run: |
+          git checkout -b update-non-snapshots
+
+          # Set identity.
+          git config --global user.email "[email protected]"
+          git config --global user.name "Distroless Bot"
+
+          # Commit changes
+          git add .
+          git commit -s -m "Bumping non-snapshot packages to latest stable versions"
+          git push --force origin HEAD
+
+      - name: Create Pull Request
+        if: env.DISTROLESS_DIFF
+        env:
+          GH_TOKEN: ${{ secrets.ACTIONS_TOKEN }}
+        run: |
+          BODY_FILE=$(mktemp)
+          printf "Bumping non-snapshot packages to latest stable version\n\`\`\`diff\n$DISTROLESS_DIFF\n\`\`\`\n" >> $BODY_FILE
+          if ! OUTPUT=$(gh pr create -B main -H update-non-snapshots -t "Bumping packages to latest stable versions" --body-file "$BODY_FILE" 2>&1) ; then
+            echo $OUTPUT
+            if [[ "${OUTPUT}" =~ "already exists" ]]; then
+              echo "PR already exists and it was updated. Ending successfully";
+              exit 0;
+            else
+              exit 1;
+            fi
+          fi
@@ -65,21 +65,21 @@ def java_build_base_image(distro, arch):
             base = ("//base:base_nossl" if (not ("debug" in mode)) else "//base:base_nossl_debug") + "_" + user + "_" + arch + "_" + distro,
             env = {"LANG": "C.UTF-8"},
             tars = [
-                deb.package(arch, distro, "zlib1g"),
-                deb.package(arch, distro, "libjpeg62-turbo"),
-                deb.package(arch, distro, "liblcms2-2"),
-                deb.package(arch, distro, "libfreetype6"),
-                deb.package(arch, distro, "fonts-dejavu-core"),
-                deb.package(arch, distro, "fontconfig-config"),
-                deb.package(arch, distro, "libexpat1"),
-                deb.package(arch, distro, "libfontconfig1"),
-                deb.package(arch, distro, "libuuid1"),
-                deb.package(arch, distro, "libbrotli1"),
-                deb.package(arch, distro, "libcrypt1"),
-                deb.package(arch, distro, "libstdc++6"),
-                deb.package(arch, distro, "libgcc-s1"),
+                deb.package(arch, distro, "zlib1g", "java"),
+                deb.package(arch, distro, "libjpeg62-turbo", "java"),
+                deb.package(arch, distro, "liblcms2-2", "java"),
+                deb.package(arch, distro, "libfreetype6", "java"),
+                deb.package(arch, distro, "fonts-dejavu-core", "java"),
+                deb.package(arch, distro, "fontconfig-config", "java"),
+                deb.package(arch, distro, "libexpat1", "java"),
+                deb.package(arch, distro, "libfontconfig1", "java"),
+                deb.package(arch, distro, "libuuid1", "java"),
+                deb.package(arch, distro, "libbrotli1", "java"),
+                deb.package(arch, distro, "libcrypt1", "java"),
+                deb.package(arch, distro, "libstdc++6", "java"),
+                deb.package(arch, distro, "libgcc-s1", "java"),
                 "//common:locale_" + distro + "_" + arch,
-            ] + [deb.package(arch, distro, library) for library in DISTRO_SPECIFIC_LIBRARIES["build_base"][distro]],
+            ] + [deb.package(arch, distro, library, "java") for library in DISTRO_SPECIFIC_LIBRARIES["build_base"][distro]],
         )
         for mode in DEBUG_MODE
         for user in USERS
@@ -122,11 +122,11 @@ def java_base_image(distro, arch):
             base = "java_build_base" + mode + "_" + user + "_" + arch + "_" + distro,
             env = {"LANG": "C.UTF-8"},
             tars = [
-                deb.package(arch, distro, "libharfbuzz0b"),
-                deb.package(arch, distro, "libgraphite2-3"),
-                deb.package(arch, distro, "libpcre2-8-0"),  # required for libharfbuzz0b but remove for temurin installs
+                deb.package(arch, distro, "libharfbuzz0b", "java"),
+                deb.package(arch, distro, "libgraphite2-3", "java"),
+                deb.package(arch, distro, "libpcre2-8-0", "java"),  # required for libharfbuzz0b but remove for temurin installs
                 ":cacerts_java_" + arch + "_" + distro,
-            ] + [deb.package(arch, distro, library) for library in DISTRO_SPECIFIC_LIBRARIES["base"][distro]],
+            ] + [deb.package(arch, distro, library, "java") for library in DISTRO_SPECIFIC_LIBRARIES["base"][distro]],
         )
         for mode in DEBUG_MODE
         for user in USERS
@@ -280,6 +280,7 @@ def java_temurin_image_from_adoptium_debs(distro, java_version, arch):
                 arch,
                 distro,
                 "temurin-" + java_version + "-jre",
+                "adoptium",
             ),
         ],
     )
@@ -296,6 +297,7 @@ def java_temurin_image_from_adoptium_debs(distro, java_version, arch):
                 arch,
                 distro,
                 "temurin-" + java_version + "-jdk",
+                "adoptium",
             ),
         ],
     )
@@ -316,6 +318,7 @@ def java_temurin_image_from_adoptium_debs(distro, java_version, arch):
                     arch,
                     distro,
                     "temurin-" + java_version + "-jre",
+                    "adoptium",
                 )),
             },
             tars = [
@@ -344,6 +347,7 @@ def java_temurin_image_from_adoptium_debs(distro, java_version, arch):
                     arch,
                     distro,
                     "temurin-" + java_version + "-jdk",
+                    "adoptium",
                 )),
             },
             tars = [
@@ -378,6 +382,7 @@ def java_openjdk_image(distro, java_version, arch):
                 arch,
                 distro,
                 "openjdk-" + java_version + "-jre-headless",
+                "java",
             ),
         ],
     )
@@ -398,6 +403,7 @@ def java_openjdk_image(distro, java_version, arch):
                     arch,
                     distro,
                     "openjdk-" + java_version + "-jre-headless",
+                    "java",
                 )),
             },
             tars = [
@@ -423,6 +429,7 @@ def java_openjdk_image(distro, java_version, arch):
                     arch,
                     distro,
                     "openjdk-" + java_version + "-jre-headless",
+                    "java",
                 )),
             },
             tars = [
@@ -431,6 +438,7 @@ def java_openjdk_image(distro, java_version, arch):
                     arch,
                     distro,
                     "openjdk-" + java_version + "-jdk-headless",
+                    "java",
                 ),
             ],
         )
 
@@ -22,20 +22,27 @@ if [ $(uname) == "Darwin" ]; then
     export PATH="/opt/homebrew/opt/gnu-sed/libexec/gnubin:$PATH"
 fi
 
-function cmd_lock() {
-    echo "🚧 Querying for repos (temporarily using hardcoded repos)"
+function cmd_lock_all() {
+    cmd_lock_snapshots
+    cmd_lock_non_snapshots
+}
+
+function cmd_lock_snapshots() {
+    echo "🚧 Querying for snapshot repos"
+    echo ""
+    local repos=$(grep -l snapshot.debian.org ./private/repos/deb/*.yaml | xargs -L 1 basename | cut -d. -f 1)
+    _cmd_lock "$repos"
+}
+
+function cmd_lock_non_snapshots() {
+    echo "🚧 Querying for non_snapshot repos"
     echo ""
-    # temporarily hardcode right now (query doesn't work after bzl mod)
-    local repos=$(cat <<EOL
-trixie
-trixie_java
-bookworm
-bookworm_java
-bookworm_python
-EOL
-)
-    #repos=$(bazel query "kind('deb_package_index', //external:*)" --output=label 2>/dev/null | cut -d: -f2)
+    local repos=$(grep -lL snapshot.debian.org ./private/repos/deb/*.yaml | xargs -L 1 basename | cut -d. -f 1)
+    _cmd_lock "$repos"
+}
 
+function _cmd_lock() {
+    local repos="$1"
     for repo in $repos; do
       for i in $(seq 10); do
         echo "🔑 Locking $repo (attempt ${i})"
@@ -93,6 +100,11 @@ function cmd_update_snapshots() {
     fi
 
     for mpath in "./private/repos/deb/"*.yaml; do
+        if ! grep -q "snapshot.debian.org" "$mpath"; then
+            echo "ignoring non-snapshot repo $mpath"
+            continue
+        fi
+
         current=$(grep -oE "debian/([0-9]+T[0-9]+Z)" $mpath | cut -d/ -f2 | head -n1)
         current_security=$(grep -oE "debian-security/([0-9]+T[0-9]+Z)" $mpath | cut -d/ -f2 | head -n1)
 
@@ -120,7 +132,7 @@ function cmd_github_update_snapshots() {
     local tmp=$(mktemp -d)
     jq -nr 'inputs.packages[] | .key + " " + .sha256' ./private/repos/deb/*.lock.json | sort > "$tmp/old.hashes"
     cmd_update_snapshots
-    cmd_lock
+    cmd_lock_snapshots
     jq -nr 'inputs.packages[] | .key + " " + .sha256' ./private/repos/deb/*.lock.json | sort > "$tmp/new.hashes"
     diff "$tmp/old.hashes" "$tmp/new.hashes" | tee "$tmp/diff" || printf "DISTROLESS_DIFF<<EOF\n$(<$tmp/diff)\nEOF" >> "$GITHUB_ENV"
 }
@@ -201,11 +213,14 @@ function cmd_deb_versions () {
 
 case "${1:-"~~nocmd"}" in
 lock)
-    cmd_lock
+    cmd_lock_all
     ;;
 update-snapshots)
     cmd_update_snapshots
     ;;
+update-non-snapshots)
+    cmd_lock_non_snapshots
+    ;;
 lint)
     cmd_lint
     ;;
 
@@ -3,6 +3,7 @@
 REPOS = [
     "trixie",
     "trixie_java",
+    "trixie_adoptium",
     "bookworm",
     "bookworm_java",
     "bookworm_python",
@@ -23,7 +24,7 @@ apt = use_extension("@rules_distroless//apt:extensions.bzl", "apt")
     for repo in REPOS
 ]
 
-use_repo(apt, "bookworm", "bookworm_java", "bookworm_python", "trixie", "trixie_java")
+use_repo(apt, "bookworm", "bookworm_java", "bookworm_python", "trixie", "trixie_java", "trixie_adoptium")
 
 ### VERSIONS HUB REPO ###
 version = use_extension("//private/extensions:version.bzl", "version")
 
@@ -0,0 +1,93 @@
+{
+	"packages": [
+		{
+			"arch": "amd64",
+			"dependencies": [],
+			"key": "temurin-25-jre_25.0.1.0.0-p-8-0_amd64",
+			"name": "temurin-25-jre",
+			"sha256": "1e9bcd6b8f04d52d873cc2d7a6fd6acfca4c113332199b7d93d90d7ba23b4c81",
+			"urls": [
+				"https://packages.adoptium.net/artifactory/deb/pool/main/t/temurin-25/temurin-25-jre_25.0.1.0.0+8-0_amd64.deb"
+			],
+			"version": "25.0.1.0.0+8-0"
+		},
+		{
+			"arch": "amd64",
+			"dependencies": [],
+			"key": "temurin-25-jdk_25.0.1.0.0-p-8-0_amd64",
+			"name": "temurin-25-jdk",
+			"sha256": "07f40a8d947daa219f3e055350667e1eed9a8613f2f28c30ee512c6725a529b0",
+			"urls": [
+				"https://packages.adoptium.net/artifactory/deb/pool/main/t/temurin-25/temurin-25-jdk_25.0.1.0.0+8-0_amd64.deb"
+			],
+			"version": "25.0.1.0.0+8-0"
+		},
+		{
+			"arch": "arm64",
+			"dependencies": [],
+			"key": "temurin-25-jre_25.0.1.0.0-p-8-0_arm64",
+			"name": "temurin-25-jre",
+			"sha256": "ff4cc726e043a7749a5c45961f02150f037a21b7d5669edef985db12401cebb2",
+			"urls": [
+				"https://packages.adoptium.net/artifactory/deb/pool/main/t/temurin-25/temurin-25-jre_25.0.1.0.0+8-0_arm64.deb"
+			],
+			"version": "25.0.1.0.0+8-0"
+		},
+		{
+			"arch": "arm64",
+			"dependencies": [],
+			"key": "temurin-25-jdk_25.0.1.0.0-p-8-0_arm64",
+			"name": "temurin-25-jdk",
+			"sha256": "b79f2cbfd80fe8eb8577795268d617adadb93737877e8c11e4501f6fd15ee16b",
+			"urls": [
+				"https://packages.adoptium.net/artifactory/deb/pool/main/t/temurin-25/temurin-25-jdk_25.0.1.0.0+8-0_arm64.deb"
+			],
+			"version": "25.0.1.0.0+8-0"
+		},
+		{
+			"arch": "s390x",
+			"dependencies": [],
+			"key": "temurin-25-jre_25.0.1.0.0-p-8-0_s390x",
+			"name": "temurin-25-jre",
+			"sha256": "23d540398ec631be9fff83942b63190559b7781518236534fb0ec77ca3d3419d",
+			"urls": [
+				"https://packages.adoptium.net/artifactory/deb/pool/main/t/temurin-25/temurin-25-jre_25.0.1.0.0+8-0_s390x.deb"
+			],
+			"version": "25.0.1.0.0+8-0"
+		},
+		{
+			"arch": "s390x",
+			"dependencies": [],
+			"key": "temurin-25-jdk_25.0.1.0.0-p-8-0_s390x",
+			"name": "temurin-25-jdk",
+			"sha256": "8fcdb2eee762aaac4bbb0ea5ea135add8dad2db1cb3cd3dc42c3058262139a28",
+			"urls": [
+				"https://packages.adoptium.net/artifactory/deb/pool/main/t/temurin-25/temurin-25-jdk_25.0.1.0.0+8-0_s390x.deb"
+			],
+			"version": "25.0.1.0.0+8-0"
+		},
+		{
+			"arch": "ppc64el",
+			"dependencies": [],
+			"key": "temurin-25-jre_25.0.0.0.0-p-36-0_ppc64el",
+			"name": "temurin-25-jre",
+			"sha256": "193f646166bb7dd5dc15b9ebe2f18bfa7b8d2fc2baee72245bbd5dc09b06e235",
+			"urls": [
+				"https://packages.adoptium.net/artifactory/deb/pool/main/t/temurin-25/temurin-25-jre_25.0.0.0.0+36-0_ppc64el.deb"
+			],
+			"version": "25.0.0.0.0+36-0"
+		},
+		{
+			"arch": "ppc64el",
+			"dependencies": [],
+			"key": "temurin-25-jdk_25.0.0.0.0-p-36-0_ppc64el",
+			"name": "temurin-25-jdk",
+			"sha256": "9cfc8b38378c89ccc97a50f6156eacc1a0ed5e523fe54c375bc1d0d1fdbbbeb0",
+			"urls": [
+				"https://packages.adoptium.net/artifactory/deb/pool/main/t/temurin-25/temurin-25-jdk_25.0.0.0.0+36-0_ppc64el.deb"
+			],
+			"version": "25.0.0.0.0+36-0"
+		}
+	],
+	"version": 1
+}
@@ -0,0 +1,17 @@
+# debian 13, java from adoptium repositories
+version: 1
+
+sources:
+  # adoptium
+  - channel: trixie main
+    url: https://packages.adoptium.net/artifactory/deb
+
+archs:
+  - amd64
+  - arm64
+  - s390x
+  - ppc64el
+
+packages:
+  - temurin-25-jre
+  - temurin-25-jdk