Skip to content

🧱 QD-13151 Switch to DHI images#802

Open
tiulpin wants to merge 1 commit intomainfrom
tv/QD-13151
Open

🧱 QD-13151 Switch to DHI images#802
tiulpin wants to merge 1 commit intomainfrom
tv/QD-13151

Conversation

@tiulpin
Copy link
Member

@tiulpin tiulpin commented Dec 18, 2025
edited
Loading

Pull Request Details

Description

Migrate Docker base images to Docker Hardened Images (DHI) and upgrade from Debian 12 (Bookworm) to Debian 13 (Trixie) for improved security and reduced CVEs. The plan is to update the images, run our image tests and, if everything works out, keep it, if not, we will revert.

Base Image Migrations

Dockerfile Before After Notes
jvm-community.Dockerfile debian:bookworm-slim dhi.io/debian-base:trixie DHI + Debian 13
dotnet-community.Dockerfile debian:bookworm-slim dhi.io/debian-base:trixie DHI + Debian 13
cpp-community.Dockerfile debian:bookworm-slim dhi.io/debian-base:trixie DHI + Debian 13, clang 20-21
cpp-community-bookworm.Dockerfile (new file) debian:bookworm-slim Legacy clang 16-19
go.Dockerfile golang:1.24-bookworm dhi.io/golang:1.25-debian13-dev DHI + Go 1.25
js.Dockerfile node:22-bookworm-slim dhi.io/node:22-debian13-dev DHI + Debian 13
php.Dockerfile php:8.4-cli-bookworm dhi.io/php:8.4-dev DHI
ruby.Dockerfile ruby:3.x-slim-bookworm dhi.io/ruby:3.x-debian13-dev DHI + Debian 13
rust.Dockerfile rust:1.88-slim-bookworm dhi.io/rust:1-debian13-dev DHI + Debian 13

CI Matrix Optimization

Restructured build groups for maximum parallelism (5 → 12 parallel jobs):

Group Images Description
jvm 4 jvm-community → jvm → python-community → python
dotnet 2 dotnet-community → dotnet
clang 4 clang 20-21 (Trixie)
clang-16 2 clang 16 (Bookworm)
clang-17 2 clang 17 (Bookworm)
clang-18 2 clang 18 (Bookworm)
clang-19 2 clang 19 (Bookworm)
go 1 standalone
js 1 standalone
php 1 standalone
rust 1 standalone
ruby 3 ruby 3.2, 3.3, 3.4

Breaking Changes

  • Ruby 3.1 removed: No DHI equivalent available
  • Clang removed: But we keep the old bookworm image in case the old versions are still needed

Related Issue

https://youtrack.jetbrains.com/issue/QD-13151

Motivation and Context

  • Security: DHI images have fewer CVEs, smaller attack surface, and include SBOM + SLSA Build Level 3 provenance
  • Performance: Smaller image sizes, faster pulls
  • Modernization: Debian 13 (Trixie) is the current stable release
  • CI Speed: ~50% faster builds through increased parallelism (12 vs 5 jobs)

How Has This Been Tested

  • Built all image groups locally with docker buildx bake
  • Verified arm64 and amd64 builds pass
  • Validated all bake groups resolve correctly

Types of changes

  • Docs change / refactoring / dependency upgrade
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist

  • I have read the CONTRIBUTING document.
  • My code follows the code style of this project.
  • My commit messages are styled with gitmoji
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@tiulpin tiulpin requested a review from a team as a code owner December 18, 2025 11:19
@github-actions
Copy link

github-actions bot commented Dec 18, 2025
edited
Loading

Qodana for Go

421 new problems were found

Inspection name Severity Problems
Check GO source code coverage 🔶 Warning 397
Interprocedural potential nil dereference 🔶 Warning 5
Potential resource leak 🔶 Warning 5
Redundant 'else' in 'if' ◽️ Notice 14 
@@ Code coverage @@
- 43% total lines covered
9285 lines analyzed, 4068 lines covered
# Calculated according to the filters of your coverage tool

☁️ View the detailed Qodana report

Contact Qodana team

Contact us at qodana-support@jetbrains.com

@tiulpin tiulpin marked this pull request as draft December 18, 2025 11:40
@tiulpin tiulpin force-pushed the tv/QD-13151 branch 9 times, most recently from 056783c to 70b3427 Compare December 18, 2025 20:18
@tiulpin tiulpin requested a review from Copilot December 18, 2025 22:54

This comment was marked as resolved.

Sign in to view

@tiulpin tiulpin marked this pull request as ready for review December 19, 2025 10:55
@github-actions
Copy link

github-actions bot commented Dec 30, 2025

This pull request has been automatically marked as stale because it has not had recent activity for 7 days.

What happens next?

  • If this PR is still relevant, please add a comment or push new commits to keep it active
  • If no activity occurs within 3 days, this PR will be automatically closed
  • You can always reopen the PR later if needed
  • You can also add a label 'wip' to keep the PR open

Thank you for your contribution! 🙏

@github-actions github-actions bot added the stale label Dec 30, 2025
@tiulpin tiulpin added wip and removed stale labels Dec 30, 2025
@JetBrains JetBrains deleted a comment from github-actions bot Jan 15, 2026
@tiulpin tiulpin force-pushed the tv/QD-13151 branch 2 times, most recently from b50162c to 416c578 Compare January 19, 2026 16:35
@github-actions
Copy link

github-actions bot commented Jan 19, 2026
edited
Loading

Qodana for Go

1 new problem were found

Inspection name Severity Problems
Check GO source code coverage 🔶 Warning 1 
@@ Code coverage @@
+ 61% total lines covered
9161 lines analyzed, 5622 lines covered
# Calculated according to the filters of your coverage tool

☁️ View the detailed Qodana report

Contact Qodana team

Contact us at qodana-support@jetbrains.com

@avafanasiev avafanasiev requested a review from bindreams March 2, 2026 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bindreams bindreams bindreams approved these changes

Assignees

No one assigned

Labels

wip

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tiulpin @bindreams