Implement 48h cooldown to docker tag workflow (#161)

sarahchen6 · web-flow · commit 93ded08af5e0 · 2026-05-20T09:23:05.000-04:00
* Implement 48h cooldown for Docker images in the docker tag workflow
diff --git a/.github/workflows/create-test-mirror-pr.yml b/.github/workflows/create-test-mirror-pr.yml
@@ -40,7 +40,7 @@ jobs:
 
       - name: Install crane
         run: |
-          CRANE_VERSION="0.20.2"
+          CRANE_VERSION="0.21.5"
           curl -fsSL "https://github.com/google/go-containerregistry/releases/download/v${CRANE_VERSION}/go-containerregistry_Linux_x86_64.tar.gz" -o crane.tar.gz
           tar -xzf crane.tar.gz crane
           sudo mv crane /usr/local/bin/crane
diff --git a/.github/workflows/docker-tag.yml b/.github/workflows/docker-tag.yml
@@ -4,6 +4,12 @@ on:
     # Quarterly schedule, roughly aligned with JDK CPU
     - cron: '0 0 30 1,4,7,10 *'
   workflow_dispatch:
+    inputs:
+      skip_cooldown:
+        description: 'Skip the 48h external dependency cooldown check'
+        required: false
+        type: boolean
+        default: false
 
 jobs:
   tag-images:
@@ -15,11 +21,79 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+      - name: Install crane
+        run: |
+          CRANE_VERSION="0.21.5"
+          curl -fsSL "https://github.com/google/go-containerregistry/releases/download/v${CRANE_VERSION}/go-containerregistry_Linux_x86_64.tar.gz" -o crane.tar.gz
+          tar -xzf crane.tar.gz crane
+          sudo mv crane /usr/local/bin/crane
+          rm crane.tar.gz
       - name: Login to ghcr.io
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # 4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Verify external dependency 48h cooldown period
+        if: ${{ inputs.skip_cooldown != true }}
+        run: |
+          COOLDOWN_HOURS=48
+          COOLDOWN_SECONDS=$((COOLDOWN_HOURS * 3600))
+          NOW_EPOCH=$(date +%s)
+
+          # Collect local build stage names from the Dockerfile
+          mapfile -t LOCAL_STAGES < <(grep -i ' AS ' Dockerfile | sed 's/.* [Aa][Ss] //' | awk '{print $1}' | sort -u)
+
+          # Collect all image references from COPY --from= and FROM directives
+          mapfile -t ALL_REFS < <({
+            sed -n 's/.*--from=\([^ ]*\).*/\1/p' Dockerfile
+            awk '/^FROM/{print $2}' Dockerfile
+          })
+
+          # Filter to only external images
+          EXTERNAL_IMAGES=()
+          for ref in "${ALL_REFS[@]}"; do
+            [[ "$ref" == "scratch" ]] && continue
+            [[ "$ref" == *'${'* ]] && continue
+            is_local=false
+            for stage in "${LOCAL_STAGES[@]}"; do
+              [[ "$ref" == "$stage" ]] && { is_local=true; break; }
+            done
+            $is_local && continue
+            EXTERNAL_IMAGES+=("$ref")
+          done
+
+          echo "Checking ${#EXTERNAL_IMAGES[@]} external dependencies for ${COOLDOWN_HOURS}h cooldown..."
+          FAILED=false
+          for image in "${EXTERNAL_IMAGES[@]}"; do
+            echo "---"
+            echo "Checking: ${image}"
+            IMAGE_CREATED=$(crane config "${image}" | jq -r '.created // empty')
+            if [[ -z "$IMAGE_CREATED" ]]; then
+              echo "::error::Could not determine creation time for ${image}"
+              FAILED=true
+              continue
+            fi
+            IMAGE_EPOCH=$(date -d "$IMAGE_CREATED" +%s) || {
+              echo "::error::Could not parse creation time '${IMAGE_CREATED}' for ${image}"
+              FAILED=true
+              continue
+            }
+            AGE_SECONDS=$((NOW_EPOCH - IMAGE_EPOCH))
+            AGE_HOURS=$((AGE_SECONDS / 3600))
+            if [[ $AGE_SECONDS -lt $COOLDOWN_SECONDS ]]; then
+              REMAINING_HOURS=$(( (COOLDOWN_SECONDS - AGE_SECONDS) / 3600 + 1 ))
+              echo "::error::${image} is only ${AGE_HOURS}h old (created ${IMAGE_CREATED}). Cooldown requires ${COOLDOWN_HOURS}h. Try again in ~${REMAINING_HOURS}h."
+              FAILED=true
+            else
+              echo "OK: ${image} is ${AGE_HOURS}h old (created ${IMAGE_CREATED})"
+            fi
+          done
+
+          if $FAILED; then
+            echo "::error::One or more external dependencies have not met the ${COOLDOWN_HOURS}h cooldown period."
+            exit 1
+          fi
+          echo "All external dependencies have met the ${COOLDOWN_HOURS}h cooldown."
       - name: Tag images
         run: ./build --tag
diff --git a/.github/workflows/update-mirror-digests.yml b/.github/workflows/update-mirror-digests.yml
@@ -39,7 +39,7 @@ jobs:
 
       - name: Install crane
         run: |
-          CRANE_VERSION="0.20.2"
+          CRANE_VERSION="0.21.5"
           curl -fsSL "https://github.com/google/go-containerregistry/releases/download/v${CRANE_VERSION}/go-containerregistry_Linux_x86_64.tar.gz" -o crane.tar.gz
           tar -xzf crane.tar.gz crane
           sudo mv crane /usr/local/bin/crane
diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,7 @@ ARG LATEST_VERSION
 FROM eclipse-temurin:${LATEST_VERSION}-jdk-noble AS temurin-latest
 
 # Intermediate image used to prune cruft from JDKs and squash them all.
-FROM ubuntu:latest AS all-jdk
+FROM ubuntu:24.04 AS all-jdk
 ARG LATEST_VERSION
 
 RUN <<-EOT
diff --git a/README.md b/README.md
@@ -11,7 +11,7 @@ Image variants are available on a per JDK basis:
 - The `zulu8`, `zulu11`, `oracle8`, `ibm8`, `semeru8`, `semeru11`, `semeru17`, `graalvm17`, `graalvm21`, and `graalvm25` variants each contain the base JDKs in addition to the specific JDK from their name.
 - The `latest` variant contains the base JDKs and all of the specific JDKs above.
 
-Images are tagged with `ci-` prefixes via the [Tag new images version](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/docker-tag.yml) workflow, which runs quarterly on `master` and when manually triggered. On completion, it automatically triggers the [Update mirror digests for ci-* images](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/update-mirror-digests.yml) workflow, which opens a PR in [DataDog/images](https://github.com/DataDog/images) updating the pinned `ci-*` mirror image digests. Once that PR is merged, `dd-trace-java` CI picks up the updated images from `registry.ddbuild.io`. Images are mirrored in `registry.ddbuild.io` to ensure they are signed before use in CI.
+Images are tagged with `ci-` prefixes via the [Tag new images version](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/docker-tag.yml) workflow, which runs quarterly on `master` and when manually triggered. A **48-hour cooldown** is enforced: the workflow verifies that all external upstream dependencies (Eclipse Temurin, Azul Zulu, IBM Semeru, GraalVM, etc.) referenced in the Dockerfile were built at least 48 hours ago before tagging. This ensures that upstream images have had sufficient time for vulnerability scans and community review before being CI use. On completion, it automatically triggers the [Update mirror digests for ci-* images](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/update-mirror-digests.yml) workflow, which opens a PR in [DataDog/images](https://github.com/DataDog/images) updating the pinned `ci-*` mirror image digests. Once that PR is merged, `dd-trace-java` CI picks up the updated images from `registry.ddbuild.io`. Images are mirrored in `registry.ddbuild.io` to ensure they are signed before use in CI.
 
 ## Development
 
@@ -40,4 +40,4 @@ To test these images in `dd-trace-java` CI:
 5. When the test images look good and `DataDog/dd-trace-java` CI is green, merge your `DataDog/dd-trace-java-docker-build` PR #N.
 6. Close the test `DataDog/dd-trace-java` PR.
 7. Run the [Delete test image mirror PR](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/delete-test-mirror-pr.yml) workflow with `N` to remove the `N_merge-*` images from `DataDog/images`. Confirm that this PR is approved and merged by the `dd-prapprover` bot.
-8. Finally, run the [Tag new images version](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/docker-tag.yml) workflow. The [Update mirror digests for ci-* images](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/update-mirror-digests.yml) workflow will automatically open a PR in `DataDog/images`, updating the pinned `ci-*` digests. `dd-trace-java` CI should automatically pick up these updated images a few minutes after the PR is merged.
+8. Finally, run the [Tag new images version](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/docker-tag.yml) workflow. **Note:** The workflow enforces a 48-hour cooldown on external upstream dependencies — it will fail if any upstream image (Eclipse Temurin, Azul Zulu, IBM Semeru, GraalVM, etc.) was rebuilt less than 48 hours ago. If the workflow fails, check the logs to see which dependency is too new, and retry after the cooldown has elapsed. This check can also be skipped when manually triggering the workflow. On success, the [Update mirror digests for ci-* images](https://github.com/DataDog/dd-trace-java-docker-build/actions/workflows/update-mirror-digests.yml) workflow will automatically open a PR in `DataDog/images`, updating the pinned `ci-*` digests. `dd-trace-java` CI should automatically pick up these updated images a few minutes after the PR is merged.
