github-actions: refactor docker

.github/workflows/release.yml

@@ -129,26 +129,50 @@ jobs:
       - await-maven-central-artifact
       - create-github-release
     env:
-      SONATYPE_FALLBACK: 1
+      DOCKER_IMAGE_NAME: docker.elastic.co/observability/apm-agent-java
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ inputs.ref }}
-          fetch-depth: 0 # Load entire history as it is required for the push-script
+          fetch-depth: 0 # Load entire history as it is required for the get latest tag
+
+      - name: Get latest tag
+        run: echo "LATEST_TAG=$(git tag --list --sort=version:refname "v*" | grep -v RC | sed s/^v// | tail -n 1)" >> "${GITHUB_ENV}"
+
       - uses: elastic/apm-pipeline-library/.github/actions/docker-login@current
         with:
           registry: docker.elastic.co
           secret: secret/apm-team/ci/docker-registry/prod
           url: ${{ secrets.VAULT_ADDR }}
           roleId: ${{ secrets.VAULT_ROLE_ID }}
           secretId: ${{ secrets.VAULT_SECRET_ID }}
-      - name: "Build docker image"
-        shell: bash
-        run: ./scripts/docker-release/build_docker.sh "${{ env.RELEASE_VERSION }}"
-      - name: "Push docker image"
-        if: ${{ ! inputs.dry_run }}
-        shell: bash
-        run: ./scripts/docker-release/push_docker.sh "${{ env.RELEASE_VERSION }}"
+
+      - name: Extract metadata (tags, labels)
+        id: docker-meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81  # v5.5.1
+        with:
+          images: ${{ env.DOCKER_IMAGE_NAME }}
+          tags: |
+            type=raw,value=${{ env.RELEASE_VERSION }}
+            type=raw,value=latest,enable=${{ contains(env.LATEST_TAG,env.RELEASE_VERSION) }}
+
+      - name: Build and push image
+        id: push
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0  # v5.3.0
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.docker-meta.outputs.tags }}
+          labels: ${{ steps.docker-meta.outputs.labels }}
+          build-args: |
+            HANDLER_FILE=apm-agent-lambda-layer/src/main/assembly/elastic-apm-handler
+
+      - name: generate build provenance (containers)
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
 
   publish-aws-lambda:
     name: "Publish AWS Lambda"

.github/workflows/snapshot.yml

@@ -75,13 +75,78 @@ jobs:
         with:
           subject-path: "${{ github.workspace }}/**/target/*.jar"
 
-      - if: ${{ failure() }}
-        uses: elastic/apm-pipeline-library/.github/actions/slack-message@current
+      - uses: actions/upload-artifact@v4
         with:
+          name: elastic-apm-agent
+          path: ./elastic-apm-agent/target/elastic-apm-agent-*.jar
+
+  build-and-push-docker-images:
+    name: "Build and push docker images"
+    runs-on: ubuntu-latest
+    needs:
+      - deploy
+      - validate
+    if: ${{ contains(needs.validate.outputs.is-snapshot, 'true') }}
+    env:
+      DOCKER_IMAGE_NAME: docker.elastic.co/observability/apm-agent-java
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/download-artifact@v4
+        with:
+          name: elastic-apm-agent
+          path: elastic-apm-agent/target
+
+      - uses: elastic/apm-pipeline-library/.github/actions/docker-login@current
+        with:
+          registry: docker.elastic.co
+          secret: secret/apm-team/ci/docker-registry/prod
           url: ${{ secrets.VAULT_ADDR }}
           roleId: ${{ secrets.VAULT_ROLE_ID }}
           secretId: ${{ secrets.VAULT_SECRET_ID }}
-          channel: "#apm-agent-java"
-          message: |
-            :ghost: [${{ github.repository }}] Snapshot *${{ github.ref_name }}* didn't get triggered in Buildkite.
-            Build: (<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|here>)
+
+      - name: Extract metadata (tags, labels)
+        id: docker-meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81  # v5.5.1
+        with:
+          images: ${{ env.DOCKER_IMAGE_NAME }}
+          tags: |
+            type=raw,prefix=test-,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push image
+        id: push
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0  # v5.3.0
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.docker-meta.outputs.tags }}
+          labels: ${{ steps.docker-meta.outputs.labels }}
+          build-args: |
+            STANDALONE_FILE=elastic-apm-agent/target/elastic-apm-agent-*.jar
+            HANDLER_FILE=apm-agent-lambda-layer/src/main/assembly/elastic-apm-handler
+
+      - name: generate build provenance (containers)
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
+  notify:
+    if: ${{ failure() && ! inputs.dry_run }}
+    needs:
+      - deploy
+      - build-and-push-docker-images
+    runs-on: ubuntu-latest
+    steps:
+      - id: check
+        uses: elastic/apm-pipeline-library/.github/actions/check-dependent-jobs@current
+        with:
+          needs: ${{ toJSON(needs) }}
+      - uses: elastic/apm-pipeline-library/.github/actions/notify-build-status@current
+        with:
+          status: ${{ steps.check.outputs.status }}
+          vaultUrl: ${{ secrets.VAULT_ADDR }}
+          vaultRoleId: ${{ secrets.VAULT_ROLE_ID }}
+          vaultSecretId: ${{ secrets.VAULT_SECRET_ID }}
+          slackChannel: "#apm-agent-java"

CONTRIBUTING.md

@@ -316,7 +316,7 @@ For illustration purpose, `1.2.3` will be the target release version, and the gi
    1. Download `elastic-apm-java-aws-lambda-layer-<VERSION>.zip` from the CI release job artifacts and upload it to the release draft
 1. Wait for released package to be available in [maven central](https://repo1.maven.org/maven2/co/elastic/apm/elastic-apm-agent/)
 1. Build and push a Docker image using the instructions below
-   Use `SONATYPE_FALLBACK=1 scripts/docker-release/build_docker.sh` to build image with released artifact.
+   Use `docker build --build-arg HANDLER_FILE=apm-agent-lambda-layer/src/main/assembly/elastic-apm-handler --build-arg 'RELEASE_VERSION=<VERSION>' --tag docker.elastic.co/observability/apm-agent-java:<VERSION> .` to build image with released artifact.
    Requires credentials, thus need to delegate this manual step to someone that has them.
 1. Update [`cloudfoundry/index.yml`](cloudfoundry/index.yml) on `main`.
 1. Publish release on Github. This will notify users watching repository.
@@ -360,20 +360,21 @@ Alternatively, it is also possible to use the most recent artifact from the [Son
 repository](https://oss.sonatype.org/#nexus-search;gav~co.elastic.apm~apm-agent-java~~~).
 
 To do so, first clean any artifacts with [`./mvnw clean`](mvnw) and then run the Docker
-build script with the `SONATYPE_FALLBACK` environment variable present. For example,
+build script. For example,
 
-`SONATYPE_FALLBACK=1 scripts/docker-release/build_docker.sh`
+```shell
+docker build \
+  --build-arg HANDLER_FILE=apm-agent-lambda-layer/src/main/assembly/elastic-apm-handler \
+  --build-arg 'RELEASE_VERSION=<VERSION>' \
+  --tag docker.elastic.co/observability/apm-agent-java:<VERSION> .
+```
 
-After running the [`build_docker.sh`](scripts/docker-release/build_docker.sh) script, images can be seen by executing
+Then, images can be seen by executing
 `docker images|egrep docker.elastic.co/observability/apm-agent-java` which should
 produce output similar to the following:
 
 `docker.elastic.co/observability/apm-agent-java   1.12.0               1f45b5858d81        26 hours ago        10.6MB`
 
-No output from the above command indicates that the image did not build correctly
-and that the output of the [`build_docker.sh`](scripts/docker-release/build_docker.sh)
-script should be examined to determine the cause.
-
 
 #### Pushing a image to the Elastic repo
 
@@ -382,5 +383,4 @@ _Notice:_ You must have access to release secrets in order to push images.
 Prior to pushing images, you must login to the Elastic Docker repo using the correct
 credentials using the [`docker login`](https://docs.docker.com/engine/reference/commandline/login/) command.
 
-To push an image, run the [`scripts/docker-release/push_docker.sh`](scripts/docker-release/push_docker.sh)
-script with the release version. An image will be pushed.
+To push an image, run `docker push docker.elastic.co/observability/apm-agent-java:<VERSION>`. An image will be pushed.

Dockerfile

@@ -1,10 +1,34 @@
+# Pin to Alpine 3.19.1
+# For a complete list of hashes, see:
+# https://github.com/docker-library/repo-info/tree/master/repos/alpine/remote
+FROM alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b AS builder
+
+RUN apk add --no-cache curl
+WORKDIR /target
+
+ARG STANDALONE_FILE
+ARG RELEASE_VERSION
+
+RUN curl -L -s -o sonatype.jar \
+    "https://oss.sonatype.org/service/local/artifact/maven/redirect?r=releases&g=co.elastic.apm&a=elastic-apm-agent&v=$RELEASE_VERSION"
+
+COPY $STANDALONE_FILE /target/standalone.jar
+
+# Copy to the sonatype if possible
+RUN [ -n "$RELEASE_VERSION" ] && mv sonatype.jar elastic-apm-agent.jar || true
+
+# Copy to the standalone if possible
+RUN [ -n "$STANDALONE_FILE" ] && mv standalone.jar elastic-apm-agent.jar || true
+
+# Fail if file is not available
+RUN ls -l elastic-apm-agent.jar
+
 # Pin to Alpine 3.19.1
 # For a complete list of hashes, see:
 # https://github.com/docker-library/repo-info/tree/master/repos/alpine/remote
 FROM alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b
 RUN mkdir /usr/agent
-ARG JAR_FILE
 ARG HANDLER_FILE
-COPY ${JAR_FILE} /usr/agent/elastic-apm-agent.jar
+COPY --from=builder /target/elastic-apm-agent.jar /usr/agent/elastic-apm-agent.jar
 COPY ${HANDLER_FILE} /usr/agent/elastic-apm-handler
 RUN chmod +x /usr/agent/elastic-apm-handler