From c7e4d8986e41c50e5dcfd3b46ba4944a2efa4cbc Mon Sep 17 00:00:00 2001
From: Atif Ali <me@matifali.dev>
Date: Fri, 10 Apr 2026 10:47:41 +0000
Subject: [PATCH 1/6] fix(ci): bump trivy from v0.37.1 to v0.69.3

---
 .github/workflows/build.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 4231f4c..59dd8fd 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -67,7 +67,7 @@ jobs:
 
       - name: Install Trivy using install script
         run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.37.1
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.69.3
 
       - name: Set up Depot CLI
         uses: depot/setup-action@v1

From 4777d2c16a4065dec390a0995cc096364e3de691 Mon Sep 17 00:00:00 2001
From: Atif Ali <me@matifali.dev>
Date: Fri, 10 Apr 2026 10:57:41 +0000
Subject: [PATCH 2/6] fix(ci): remove trivy scanning

The Trivy supply-chain compromise (Feb/Mar 2026) deleted releases
v0.27.0 through v0.69.1 and later published malicious binaries.
Remove Trivy scanning entirely until the situation stabilizes.
---
 .github/workflows/build.yaml | 23 -----------------------
 1 file changed, 23 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 59dd8fd..422d3aa 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -65,10 +65,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
 
-      - name: Install Trivy using install script
-        run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.69.3
-
       - name: Set up Depot CLI
         uses: depot/setup-action@v1
         with:
@@ -79,25 +75,6 @@ jobs:
           ${{ github.workspace }}/scripts/build_images.sh \
             --tag=ubuntu
 
-      - name: Scan ubuntu images
-        run: |
-          ${{ github.workspace }}/scripts/scan_images.sh \
-            --tag=ubuntu \
-            --output-file=trivy-results-ubuntu.sarif
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v4
-        with:
-          sarif_file: trivy-results-ubuntu.sarif
-          category: trivy-ubuntu
-
-      - name: Upload Trivy scan results as an artifact
-        uses: actions/upload-artifact@v6
-        with:
-          name: trivy-ubuntu
-          path: trivy-results-ubuntu.sarif
-          retention-days: 7
-
       - name: Authenticate to Docker Hub
         if: github.event_name != 'pull_request'
         uses: docker/login-action@v3

From 6e37a9da3d7b021b7a7a664b47370d19a7512f66 Mon Sep 17 00:00:00 2001
From: Atif Ali <me@matifali.dev>
Date: Fri, 10 Apr 2026 11:25:20 +0000
Subject: [PATCH 3/6] fix(java): bump maven to 3.9.14, gradle to 8.14.2, use
 archive URL

- Switch Maven download URL from dlcdn.apache.org to
  archive.apache.org so pinned versions don't 404 when a new
  release is published.
- Bump Maven 3.9.12 -> 3.9.14 (latest stable).
- Bump Gradle 6.7 -> 8.14.2 (latest 8.x; 9.x requires Java 17+
  but this image uses Java 11).
---
 images/java/ubuntu.Dockerfile | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/images/java/ubuntu.Dockerfile b/images/java/ubuntu.Dockerfile
index c30d680..383ba32 100644
--- a/images/java/ubuntu.Dockerfile
+++ b/images/java/ubuntu.Dockerfile
@@ -10,15 +10,15 @@ ENV JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
 ENV PATH=$PATH:$JAVA_HOME/bin
 
 # Install Maven
-ARG MAVEN_VERSION=3.9.12
-ARG MAVEN_SHA512=0a1be79f02466533fc1a80abbef8796e4f737c46c6574ede5658b110899942a94db634477dfd3745501c80aef9aac0d4f841d38574373f7e2d24cce89d694f70
+ARG MAVEN_VERSION=3.9.14
+ARG MAVEN_SHA512=d50af8ab5e6005b46a07f0ce9d3719e67cfdf898da988a84871304cd59fb1af0fef2f99dea709e6e66f21f732f905979b5c2dce6b6860406f60a70e84d9cf0b8
 
 ENV MAVEN_HOME=/usr/share/maven
 ENV MAVEN_CONFIG="/home/coder/.m2"
 
 RUN mkdir -p $MAVEN_HOME $MAVEN_HOME/ref \
   && echo "Downloading maven" \
-  && curl -fsSL -o /tmp/apache-maven.tar.gz https://dlcdn.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz \
+  && curl -fsSL -o /tmp/apache-maven.tar.gz https://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz \
   && echo "Checking downloaded file hash" \
   && echo "${MAVEN_SHA512}  /tmp/apache-maven.tar.gz" | sha512sum -c - \
   && echo "Unzipping maven" \
@@ -28,8 +28,8 @@ RUN mkdir -p $MAVEN_HOME $MAVEN_HOME/ref \
   && ln -s $MAVEN_HOME/bin/mvn /usr/bin/mvn
 
 # Install Gradle
-ENV GRADLE_VERSION=6.7
-ARG GRADLE_SHA512=d495bc65379d2a854d2cca843bd2eeb94f381e5a7dcae89e6ceb6ef4c5835524932313e7f30d7a875d5330add37a5fe23447dc3b55b4d95dffffa870c0b24493
+ENV GRADLE_VERSION=8.14.2
+ARG GRADLE_SHA512=5df80d555e5338c5e67fa3ad11ea8ec534416d3e1414675bdd33a8a8f342ca2cef1ffd882b2f283f56041f6d426adcc5d7d4384e6fbe3eb8edac2c967e9b0ffd
 
 ENV GRADLE_HOME=/usr/bin/gradle
 

From 08dafe3a51625ef08a21ee923bcaeb54cfe620c1 Mon Sep 17 00:00:00 2001
From: Atif Ali <me@matifali.dev>
Date: Fri, 10 Apr 2026 11:29:09 +0000
Subject: [PATCH 4/6] Revert "fix(java): bump maven to 3.9.14, gradle to
 8.14.2, use archive URL"

This reverts commit 6e37a9da3d7b021b7a7a664b47370d19a7512f66.
---
 images/java/ubuntu.Dockerfile | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/images/java/ubuntu.Dockerfile b/images/java/ubuntu.Dockerfile
index 383ba32..c30d680 100644
--- a/images/java/ubuntu.Dockerfile
+++ b/images/java/ubuntu.Dockerfile
@@ -10,15 +10,15 @@ ENV JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
 ENV PATH=$PATH:$JAVA_HOME/bin
 
 # Install Maven
-ARG MAVEN_VERSION=3.9.14
-ARG MAVEN_SHA512=d50af8ab5e6005b46a07f0ce9d3719e67cfdf898da988a84871304cd59fb1af0fef2f99dea709e6e66f21f732f905979b5c2dce6b6860406f60a70e84d9cf0b8
+ARG MAVEN_VERSION=3.9.12
+ARG MAVEN_SHA512=0a1be79f02466533fc1a80abbef8796e4f737c46c6574ede5658b110899942a94db634477dfd3745501c80aef9aac0d4f841d38574373f7e2d24cce89d694f70
 
 ENV MAVEN_HOME=/usr/share/maven
 ENV MAVEN_CONFIG="/home/coder/.m2"
 
 RUN mkdir -p $MAVEN_HOME $MAVEN_HOME/ref \
   && echo "Downloading maven" \
-  && curl -fsSL -o /tmp/apache-maven.tar.gz https://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz \
+  && curl -fsSL -o /tmp/apache-maven.tar.gz https://dlcdn.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz \
   && echo "Checking downloaded file hash" \
   && echo "${MAVEN_SHA512}  /tmp/apache-maven.tar.gz" | sha512sum -c - \
   && echo "Unzipping maven" \
@@ -28,8 +28,8 @@ RUN mkdir -p $MAVEN_HOME $MAVEN_HOME/ref \
   && ln -s $MAVEN_HOME/bin/mvn /usr/bin/mvn
 
 # Install Gradle
-ENV GRADLE_VERSION=8.14.2
-ARG GRADLE_SHA512=5df80d555e5338c5e67fa3ad11ea8ec534416d3e1414675bdd33a8a8f342ca2cef1ffd882b2f283f56041f6d426adcc5d7d4384e6fbe3eb8edac2c967e9b0ffd
+ENV GRADLE_VERSION=6.7
+ARG GRADLE_SHA512=d495bc65379d2a854d2cca843bd2eeb94f381e5a7dcae89e6ceb6ef4c5835524932313e7f30d7a875d5330add37a5fe23447dc3b55b4d95dffffa870c0b24493
 
 ENV GRADLE_HOME=/usr/bin/gradle
 

From f115c8239d7d4ffc4cdea297fd1605375206fee4 Mon Sep 17 00:00:00 2001
From: Atif Ali <atif@coder.com>
Date: Fri, 10 Apr 2026 11:31:57 +0000
Subject: [PATCH 5/6] fix(java): bump maven to 3.9.14, gradle to 8.14.2, use
 archive URL (#325)

---
 images/java/ubuntu.Dockerfile | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/images/java/ubuntu.Dockerfile b/images/java/ubuntu.Dockerfile
index c30d680..383ba32 100644
--- a/images/java/ubuntu.Dockerfile
+++ b/images/java/ubuntu.Dockerfile
@@ -10,15 +10,15 @@ ENV JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
 ENV PATH=$PATH:$JAVA_HOME/bin
 
 # Install Maven
-ARG MAVEN_VERSION=3.9.12
-ARG MAVEN_SHA512=0a1be79f02466533fc1a80abbef8796e4f737c46c6574ede5658b110899942a94db634477dfd3745501c80aef9aac0d4f841d38574373f7e2d24cce89d694f70
+ARG MAVEN_VERSION=3.9.14
+ARG MAVEN_SHA512=d50af8ab5e6005b46a07f0ce9d3719e67cfdf898da988a84871304cd59fb1af0fef2f99dea709e6e66f21f732f905979b5c2dce6b6860406f60a70e84d9cf0b8
 
 ENV MAVEN_HOME=/usr/share/maven
 ENV MAVEN_CONFIG="/home/coder/.m2"
 
 RUN mkdir -p $MAVEN_HOME $MAVEN_HOME/ref \
   && echo "Downloading maven" \
-  && curl -fsSL -o /tmp/apache-maven.tar.gz https://dlcdn.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz \
+  && curl -fsSL -o /tmp/apache-maven.tar.gz https://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz \
   && echo "Checking downloaded file hash" \
   && echo "${MAVEN_SHA512}  /tmp/apache-maven.tar.gz" | sha512sum -c - \
   && echo "Unzipping maven" \
@@ -28,8 +28,8 @@ RUN mkdir -p $MAVEN_HOME $MAVEN_HOME/ref \
   && ln -s $MAVEN_HOME/bin/mvn /usr/bin/mvn
 
 # Install Gradle
-ENV GRADLE_VERSION=6.7
-ARG GRADLE_SHA512=d495bc65379d2a854d2cca843bd2eeb94f381e5a7dcae89e6ceb6ef4c5835524932313e7f30d7a875d5330add37a5fe23447dc3b55b4d95dffffa870c0b24493
+ENV GRADLE_VERSION=8.14.2
+ARG GRADLE_SHA512=5df80d555e5338c5e67fa3ad11ea8ec534416d3e1414675bdd33a8a8f342ca2cef1ffd882b2f283f56041f6d426adcc5d7d4384e6fbe3eb8edac2c967e9b0ffd
 
 ENV GRADLE_HOME=/usr/bin/gradle
 

From 5611796b0c05f5bb4ac33db666edef9926ad1208 Mon Sep 17 00:00:00 2001
From: Atif Ali <atif@coder.com>
Date: Fri, 10 Apr 2026 11:49:23 +0000
Subject: [PATCH 6/6] chore: drop linux/arm/v7 platform support (#326)

---
 images/node/ubuntu.Dockerfile | 14 ++------------
 scripts/build_images.sh       |  2 +-
 2 files changed, 3 insertions(+), 13 deletions(-)

diff --git a/images/node/ubuntu.Dockerfile b/images/node/ubuntu.Dockerfile
index fb79dc3..f5f44dd 100644
--- a/images/node/ubuntu.Dockerfile
+++ b/images/node/ubuntu.Dockerfile
@@ -3,18 +3,8 @@ FROM codercom/enterprise-base:ubuntu
 # Run everything as root
 USER root
 
-ARG TARGETARCH
-ARG TARGETVARIANT
-
-# Install Node.js with platform-specific version
-# armv7: Node.js 22.x (last version with armv7 support)
-# others: Latest LTS
-# Ref: https://github.com/nodesource/distributions/issues/1881
-RUN NODE_VERSION="lts"; \
-    if [ "${TARGETARCH}${TARGETVARIANT}" = "armv7" ]; then \
-        NODE_VERSION="22"; \
-    fi && \
-    curl -sL https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash - && \
+# Install Node.js (LTS)
+RUN curl -sL https://deb.nodesource.com/setup_lts.x | bash - && \
     DEBIAN_FRONTEND="noninteractive" apt-get update -y && \
     apt-get install -y nodejs
 
diff --git a/scripts/build_images.sh b/scripts/build_images.sh
index d01ded3..68812c6 100755
--- a/scripts/build_images.sh
+++ b/scripts/build_images.sh
@@ -102,7 +102,7 @@ for image in "${IMAGES[@]}"; do
     continue
   fi
 
-  run_trace $DRY_RUN depot build --project "gb3p8xrshk" --load --platform linux/arm64,linux/amd64,linux/arm/v7 --save --metadata-file="build_${image}.json" \
+  run_trace $DRY_RUN depot build --project "gb3p8xrshk" --load --platform linux/amd64,linux/arm64 --save --metadata-file="build_${image}.json" \
     "${docker_flags[@]}" \
     "$image_dir" \
     --file="$image_path" \