Upgrade GraalVM to v25.0.1, default to distroless images with -shell

variants, add multiarch support

Author: ujibang

.github/workflows/docker-image.yml

@@ -25,15 +25,37 @@ jobs:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_TOKEN }}
 
-      - name: Build and push multi-arch Docker images
+      - name: Build and push distroless image (default)
         uses: docker/build-push-action@v6
         with:
-          platforms: |
-            linux/amd64,
-            linux/arm64
+          context: .
+          file: ./Dockerfile.distroless
+          platforms: linux/amd64,linux/arm64
           push: true
           pull: true
           no-cache: false
+          build-args: |
+            GRAALVM_VERSION=25.0.1
           tags: |
-            softinstigate/graalvm:latest,
+            softinstigate/graalvm:latest
             softinstigate/graalvm:${{ github.ref_name }}
+            softinstigate/graalvm:25
+            softinstigate/graalvm:25.0
+            softinstigate/graalvm:25.0.0
+
+      - name: Build and push shell variant
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          pull: true
+          no-cache: false
+          build-args: |
+            GRAALVM_VERSION=25.0.1
+          tags: |
+            softinstigate/graalvm:${{ github.ref_name }}-shell
+            softinstigate/graalvm:25-shell
+            softinstigate/graalvm:25.0-shell
+            softinstigate/graalvm:25.0.0-shell

.gitignore

@@ -52,4 +52,7 @@ Temporary Items
 !.vscode/extensions.json
 *.code-workspace
 
-# End of https://www.toptal.com/developers/gitignore/api/maven,vscode,osx
+# End of https://www.toptal.com/developers/gitignore/api/maven,vscode,osx
+
+# Claude Code
+.claude

Dockerfile

@@ -1,32 +1,95 @@
-FROM debian:stable-slim
+# GraalVM Docker Image with Shell
+# Multi-arch: linux/amd64, linux/arm64
+# Expected size: ~365MB
 
-LABEL maintainer="SoftInstigate <info@softinstigate.com>"
+FROM debian:stable-slim AS downloader
 
-ARG JAVA_VERSION="25-graalce"
+ARG GRAALVM_VERSION=25.0.1
+ARG GRAALVM_JAVA_VERSION=25
+ARG TARGETARCH
 
-ENV SDKMAN_DIR=/root/.sdkman
+WORKDIR /tmp
 
-COPY bin/entrypoint.sh /root
+# Map Docker's TARGETARCH to GraalVM's architecture naming
+RUN case "${TARGETARCH}" in \
+      amd64) echo "linux-x64" > /tmp/graalvm_arch ;; \
+      arm64) echo "linux-aarch64" > /tmp/graalvm_arch ;; \
+      *) echo "Unsupported architecture: ${TARGETARCH}" && exit 1 ;; \
+    esac
 
 RUN apt-get update \
-  && apt-get install -y --no-install-recommends ca-certificates curl locales unzip zip \
+  && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+  && rm -rf /var/lib/apt/lists/*
+
+# Download and extract GraalVM directly
+RUN GRAALVM_ARCH=$(cat /tmp/graalvm_arch) \
+  && curl -fsSL "https://github.com/graalvm/graalvm-ce-builds/releases/download/jdk-${GRAALVM_VERSION}/graalvm-community-jdk-${GRAALVM_VERSION}_${GRAALVM_ARCH}_bin.tar.gz" \
+    -o graalvm.tar.gz \
+  && mkdir -p /opt/graalvm \
+  && tar -xzf graalvm.tar.gz -C /opt/graalvm --strip-components=1 \
+  && rm graalvm.tar.gz
+
+# Remove unnecessary components to save space
+# Remove GUI libraries since RESTHeart is a server application
+RUN cd /opt/graalvm \
+  && rm -rf \
+    lib/src.zip \
+    lib/visualvm \
+    lib/static \
+    lib/svm \
+    jmods \
+    man \
+    demo \
+    sample \
+    include \
+  && cd lib \
+  && rm -rf \
+    libnative-image*.so \
+    libawt*.so \
+    libjavafx*.so \
+    libprism*.so \
+    libglass*.so \
+    libfx*.so \
+    libjfx*.so \
+    libgstreamer*.so \
+    libsplashscreen.so \
+    libjavajpeg.so \
+    libfontmanager.so \
+    liblcms.so \
+    libmlib_image.so \
+    ct.sym \
+    2>/dev/null || true
+
+# Final stage
+FROM debian:stable-slim
+
+LABEL maintainer="SoftInstigate <info@softinstigate.com>"
+LABEL description="GraalVM image with shell for debugging"
+LABEL org.opencontainers.image.source="https://github.com/SoftInstigate/graalvm-docker"
+
+# Copy only the JVM from builder
+COPY --from=downloader /opt/graalvm /opt/graalvm
+
+# Install minimal runtime dependencies
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    locales \
   && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \
   && locale-gen en_US.UTF-8 \
   && apt-get -y autoremove \
-  && rm -rf /var/lib/apt/lists/* \
-  && curl 'https://get.sdkman.io' | bash \
-  && echo "sdkman_auto_answer=true" > "${SDKMAN_DIR}/etc/config" \
-  && echo "sdkman_auto_selfupdate=false" >> "${SDKMAN_DIR}/etc/config" \
-  && echo "sdkman_insecure_ssl=true" >> "${SDKMAN_DIR}/etc/config" \
-  && chmod +x "${SDKMAN_DIR}/bin/sdkman-init.sh" \
-  && bash -c "source ${SDKMAN_DIR}/bin/sdkman-init.sh \
-  && sdk version \
-  && sdk install java ${JAVA_VERSION} \
-  && rm -rf ${SDKMAN_DIR}/archives/* \
-  && rm -rf ${SDKMAN_DIR}/tmp/*"
+  && rm -rf /var/lib/apt/lists/*
 
-WORKDIR /opt/app
+ENV JAVA_HOME=/opt/graalvm
+ENV PATH="${JAVA_HOME}/bin:${PATH}"
+ENV LANG=en_US.UTF-8
+ENV LANGUAGE=en_US:en
+ENV LC_ALL=en_US.UTF-8
+ENV JAVA_OPTS="-Djava.awt.headless=true"
 
-SHELL ["/bin/bash", "-i", "-c"]
+WORKDIR /opt/app
 
-ENTRYPOINT [ "/root/entrypoint.sh" ]
+# Use shell entrypoint for flexibility
+CMD ["/bin/sh"]

Dockerfile.distroless

@@ -0,0 +1,113 @@
+# Distroless GraalVM Docker Image
+# No shell, no package manager, no login capability
+# Multi-arch: linux/amd64, linux/arm64
+# Maximum security - only runtime dependencies
+# Expected size: ~285MB
+
+FROM debian:stable-slim AS downloader
+
+ARG GRAALVM_VERSION=25.0.1
+ARG GRAALVM_JAVA_VERSION=25
+ARG TARGETARCH
+
+WORKDIR /tmp
+
+# Map Docker's TARGETARCH to GraalVM's architecture naming
+RUN case "${TARGETARCH}" in \
+      amd64) echo "linux-x64" > /tmp/graalvm_arch ;; \
+      arm64) echo "linux-aarch64" > /tmp/graalvm_arch ;; \
+      *) echo "Unsupported architecture: ${TARGETARCH}" && exit 1 ;; \
+    esac
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+  && rm -rf /var/lib/apt/lists/*
+
+# Download and extract GraalVM directly
+RUN GRAALVM_ARCH=$(cat /tmp/graalvm_arch) \
+  && curl -fsSL "https://github.com/graalvm/graalvm-ce-builds/releases/download/jdk-${GRAALVM_VERSION}/graalvm-community-jdk-${GRAALVM_VERSION}_${GRAALVM_ARCH}_bin.tar.gz" \
+    -o graalvm.tar.gz \
+  && mkdir -p /opt/graalvm \
+  && tar -xzf graalvm.tar.gz -C /opt/graalvm --strip-components=1 \
+  && rm graalvm.tar.gz
+
+# Aggressive cleanup - remove everything not needed for runtime
+# Remove GUI libraries since RESTHeart is a server application
+RUN cd /opt/graalvm \
+  && rm -rf \
+    lib/src.zip \
+    lib/visualvm \
+    lib/static \
+    lib/svm \
+    jmods \
+    man \
+    demo \
+    sample \
+    include \
+  && cd lib \
+  && rm -rf \
+    libawt*.so \
+    libjavafx*.so \
+    libprism*.so \
+    libglass*.so \
+    libfx*.so \
+    libjfx*.so \
+    libgstreamer*.so \
+    libsplashscreen.so \
+    libjavajpeg.so \
+    libfontmanager.so \
+    liblcms.so \
+    libmlib_image.so \
+    libnative-image*.so \
+    ct.sym \
+    2>/dev/null || true \
+  && cd /opt/graalvm \
+  && find . -name "*.diz" -delete \
+  && find . -name "*.debuginfo" -delete 2>/dev/null || true
+
+# Build minimal runtime deps layer
+FROM debian:stable-slim AS runtime-deps
+
+ARG TARGETARCH
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+    zlib1g \
+  && rm -rf /var/lib/apt/lists/*
+
+# Copy libs to a common location based on architecture
+RUN mkdir -p /staging/lib && \
+    case "${TARGETARCH}" in \
+      amd64) cp -P /lib/x86_64-linux-gnu/libz.so* /staging/lib/ || \
+             cp -P /usr/lib/x86_64-linux-gnu/libz.so* /staging/lib/ ;; \
+      arm64) cp -P /lib/aarch64-linux-gnu/libz.so* /staging/lib/ || \
+             cp -P /usr/lib/aarch64-linux-gnu/libz.so* /staging/lib/ ;; \
+    esac
+
+# Use Google's distroless base - no shell, no package manager
+FROM gcr.io/distroless/base-debian12:nonroot
+
+LABEL maintainer="SoftInstigate <info@softinstigate.com>"
+LABEL description="Distroless GraalVM image with no shell - maximum security"
+LABEL org.opencontainers.image.source="https://github.com/SoftInstigate/graalvm-docker"
+
+# Copy required runtime libraries
+COPY --from=runtime-deps /staging/lib/* /lib/
+
+# Copy only the JVM from builder
+COPY --from=downloader /opt/graalvm /opt/graalvm
+
+# Copy CA certificates for HTTPS
+COPY --from=downloader /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+ENV JAVA_HOME=/opt/graalvm
+ENV PATH=/opt/graalvm/bin
+ENV LANG=en_US.UTF-8
+ENV JAVA_OPTS="-Djava.awt.headless=true"
+
+WORKDIR /opt/app
+
+# No shell available - direct Java execution only
+ENTRYPOINT ["/opt/graalvm/bin/java"]