diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
index 626eda9..d50ff70 100644
--- a/.github/workflows/pr-build.yml
+++ b/.github/workflows/pr-build.yml
@@ -4,56 +4,42 @@ on:
     branches:
       - main
   pull_request_target:
-    branches: 
+    branches:
       - main
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
        # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
-          ref: ${{github.event.pull_request.head.ref}}
-          repository: ${{github.event.pull_request.head.repo.full_name}}
           fetch-depth: 0
-      
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_READ_USER }}
           password: ${{ secrets.DOCKERHUB_READ_TOKEN }}
-      
+
       - name: Build with Gradle
         uses: hypertrace/github-actions/gradle@main
-        with: 
+        with:
           args: dockerBuildImages
 
-      - name: Scan docker image
-        uses: azure/container-scan@v0.1
+      - name: Scan java-11 image
+        uses: hypertrace/github-actions/trivy-image-scan@main
         with:
-          image-name: hypertrace/java:11
-        env:
-          DOCKLE_HOST: "unix:///var/run/docker.sock"
-        continue-on-error: true
+          image: hypertrace/java
+          tag: 11
+          category: java-11
+          output-mode: github
 
-      - name: Scan docker image
-        uses: azure/container-scan@v0.1
+      - name: Scan java-14 image
+        uses: hypertrace/github-actions/trivy-image-scan@main
         with:
-          image-name: hypertrace/java:14
-        env:
-          DOCKLE_HOST: "unix:///var/run/docker.sock"
-        continue-on-error: true
+          image: hypertrace/java
+          tag: 14
+          category: java-14
+          output-mode: github
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a28141e..7d46509 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,44 +1,31 @@
 name: Publish artifacts
 on:
-# Will only run when release is published. 
+# Will only run when release is published.
   release:
-    types: 
+    types:
       - created
   workflow_dispatch:
 
 jobs:
   publish-artifacts:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
-            
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_READ_USER }}
           password: ${{ secrets.DOCKERHUB_READ_TOKEN }}
 
       - name: publish docker image
         uses: hypertrace/github-actions/gradle@main
-        with: 
+        with:
           args: dockerPushImages
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKERHUB_PUBLISH_USER }}
           DOCKER_PASSWORD: ${{ secrets.DOCKERHUB_PUBLISH_TOKEN }}
-
diff --git a/java-11/Dockerfile b/java-11/Dockerfile
index 1c15ae1..97b9697 100644
--- a/java-11/Dockerfile
+++ b/java-11/Dockerfile
@@ -44,6 +44,9 @@ jdk.zipfs\
 # We extract JRE's hard dependencies, libz and SSL certs, from the fat JRE image.
 FROM gcr.io/distroless/java:11-debug AS deps
 
+FROM amd64/debian:bullseye-slim As builder
+RUN apt update && apt install -y libjemalloc-dev
+
 # Debian-11 image
 FROM gcr.io/distroless/cc:debug
 
@@ -61,6 +64,11 @@ RUN ln -s /lib/x86_64-linux-gnu/libz.so.1.2.11 /lib/x86_64-linux-gnu/libz.so.1
 COPY --from=jre /jre /usr/lib/jvm/zulu-11-amd64-slim
 RUN ln -s /usr/lib/jvm/zulu-11-amd64-slim/bin/java /usr/bin/java
 
+# change rocksdb default memory allocator
+# https://docs.confluent.io/platform/current/streams/developer-guide/memory-mgmt.html#rocksdb
+COPY --from=builder /usr/lib/x86_64-linux-gnu/libjemalloc* /usr/lib/x86_64-linux-gnu/
+ENV LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so
+
 # set JAVA_HOME
 ENV JAVA_HOME=/usr/lib/jvm/zulu-11-amd64-slim
 
diff --git a/java-11/build.gradle.kts b/java-11/build.gradle.kts
index 3ed42e0..544d4e6 100644
--- a/java-11/build.gradle.kts
+++ b/java-11/build.gradle.kts
@@ -2,7 +2,7 @@ plugins {
   id("org.hypertrace.docker-publish-plugin")
 }
 
-var javaVersion = "11.0.16.1-11.58.23"
+var javaVersion = "11.0.19-11.64.19"
 
 hypertraceDocker {
   defaultImage {