build(gradle): bump gradle version

Author: abhisheksr01

.github/workflows/pipeline.yml

@@ -162,6 +162,8 @@ jobs:
   docker-build-scan-push:
 #    if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
+    env:
+      BASE_IMAGE: abhisheksr01/companieshouse
 #    needs:
 #      - unit-test
 #      - mutation-test
@@ -189,19 +191,19 @@ jobs:
 #          echo "is-version-bumped: ${{ steps.bump-version.outputs.is-version-bumped }}"
 #          echo "is-dryrun-version-bumped: ${{ steps.bump-version.outputs.is-dryrun-version-bumped }}"
 #        shell: bash
-#      - name: Login to Docker Hub
-#        uses: docker/login-action@v3
-#        with:
-#          username: ${{ vars.DOCKERHUB_USERNAME }}
-#          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Docker meta
 #        if: ${{ steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }}
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: abhisheksr01/companieshouse
+          images: ${{ env.BASE_IMAGE }}
           context: git
           tags: |
             type=ref,event=pr
@@ -222,27 +224,36 @@ jobs:
           load: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-      - name: Convert Image to Tar
-        run: |
-          docker images
-          tags="${{ steps.meta.outputs.tags }}"
-          tags="${tags//,/ }"        # replace commas with spaces
-          echo "Saving images: $tags"
+          cache-to: type=registry,ref=${{ env.BASE_IMAGE }}:cache
+          cache-from: type=registry,ref=${{ env.BASE_IMAGE }}:cache,mode=max
       - name: Scan Image
         uses: aquasecurity/[email protected]
         with:
+          versin: 0.66
           image-ref: ${{ steps.meta.outputs.tags }}
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
           vuln-type: 'os,library'
-          scanners: 'vuln,secret,misconfig,license'
+          scanners: 'vuln,secret,misconfig'
+      - name: Validate Container Image
+        run: |
+          docker run -d -p 8080:8080 ${{ steps.meta.outputs.tags }}
+          sleep 5  # Wait for container to start
+          HEALTH_STATUS=$(curl -s http://localhost:8080/companieshouse/actuator/health | jq -r '.status')
+          if [ "$HEALTH_STATUS" != "UP" ]; then
+            echo "Health check failed. Status: $HEALTH_STATUS"
+            exit 1
+          fi
+          echo "Health check passed. Status: $HEALTH_STATUS"
       - name: Re-Build & Push Image
         uses: docker/build-push-action@v6
         with:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-to: type=registry,ref=${{ env.BASE_IMAGE }}:cache
+          cache-from: type=registry,ref=${{ env.BASE_IMAGE }}:cache,mode=max
           sbom: true
           provenance: true
 

Dockerfile

@@ -1,25 +1,55 @@
 # Stage 1: Build the jar
-FROM gradle:8.12-jdk21 AS build
-# Copy source code into the container and set the ownership to 'gradle' user
+FROM gradle:8.14.3-jdk21-jammy AS build
+
+# Update system packages
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Copy source code and build
 COPY --chown=gradle:gradle . /home/gradle/src
 WORKDIR /home/gradle/src
 RUN gradle build -x test --no-daemon
 
 # Stage 2: Production image
-FROM openjdk:21-slim AS production
+FROM openjdk:21-slim-bookworm AS production
 EXPOSE 8080
 
-# Create a non-root user and group (using 'appuser' as an example)
-RUN groupadd -r appgroup && useradd -r -g appgroup -m appuser
+# Update system packages and install fixed versions
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends \
+        libc6 \
+        util-linux \
+    && apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Create non-root user with fixed UID/GID
+RUN groupadd -r appgroup -g 10001 && \
+    useradd -r -g appgroup -u 10001 appuser && \
+    mkdir /app && \
+    chown 10001:10001 /app
+
+# Copy jar with specific name
+COPY --from=build --chown=10001:10001 /home/gradle/src/build/libs/*.jar /app/companieshouse.jar
 
-# Create the /app directory and set permissions
-RUN mkdir /app && chown appuser:appgroup /app
+WORKDIR /app
+USER 10001
 
-# Copy the jar file from the build stage into the production image
-COPY --from=build /home/gradle/src/build/libs/*.jar /app/companieshouse-*.jar
+# Security-focused Java options
+ENV JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom \
+    -Djava.awt.headless=true \
+    -Dfile.encoding=UTF-8 \
+    -XX:+ExitOnOutOfMemoryError \
+    -XX:+UseContainerSupport \
+    -XX:MaxRAMPercentage=75.0 \
+    -Dspring.profiles.active=production \
+    -Dserver.tomcat.accesslog.enabled=true"
 
-# Change to non-root user
-USER appuser
+# Add healthcheck
+HEALTHCHECK --interval=30s --timeout=3s \
+    CMD curl -f http://localhost:8080/companieshouse/actuator/health || exit 1
 
-# Set the entrypoint to run the Java application
-ENTRYPOINT ["java", "-jar", "/app/companieshouse-*.jar"]
+# Use specific jar name in entrypoint
+ENTRYPOINT ["java", "-jar", "/app/companieshouse.jar"]

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.3-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists