build(deps): switch to Docker hardened image

thomasleplus · thomasleplus · commit cb255aa26c4d · 2025-12-27T19:03:30.000+01:00
diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml
@@ -63,6 +63,12 @@ jobs:
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        if: github.ref == 'refs/heads/main'
+        with:
+          registry: dhi.io
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         id: build
         with:
@@ -98,7 +104,7 @@ jobs:
         run: |
           set -euo pipefail
           IFS=$'\n\t'
-          VERSION="$(\grep "${IMAGE}/Dockerfile" -e '^FROM' | \head -n 1 | \sed -e 's/@.*$//; s/^.*://;')"
+          VERSION="$(\grep "${IMAGE}/Dockerfile" -e '^FROM' | \head -n 1 | \sed -e 's/@.*$//; s/^.*://; s/-.*$//;')"
           if [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] ; then
             echo "VERSION=${VERSION}" >> "${GITHUB_ENV}"
           fi
diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
@@ -54,6 +54,12 @@ jobs:
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        if: github.ref == 'refs/heads/main'
+        with:
+          registry: dhi.io
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         id: build
         with:
diff --git a/maven-check-versions/Dockerfile b/maven-check-versions/Dockerfile
@@ -1,4 +1,4 @@
-FROM maven:3.9.12@sha256:800a33a4cb190082c47abcd57944c852e1dece834f92c0aef65bea6336c52a72
+FROM dhi.io/maven:3.9.12-jdk25-debian13-dev@sha256:0a9d6751a403be81eeaed3b7107007d8f4d3e67bb251556f757857292cf78797
 
 HEALTHCHECK NONE
 
@@ -19,7 +19,7 @@ RUN mkdir -m 777 /opt/maven
 ARG MAVEN_USER_HOME="/opt/maven/.m2"
 ENV MAVEN_USER_HOME="${MAVEN_USER_HOME}"
 
-USER ubuntu
+USER nonroot
 
 WORKDIR /opt/project
 
