v0.1.0

First release of the buildenv retool tracked in #3.

Highlights

• Multi-stage migration complete. The legacy embedded make static flow (Docker-in-Docker docker build < /opt/Dockerfile.X.static from inside the builder image) has been removed. Active downstream consumers (substrate, connectorhub, lutherauth, ui-core, cross-department-claims-settlement, sandbox-template family) all moved to multi-stage FROM $BUILD_IMAGE Dockerfiles in lockstep PRs. Stale-pinned consumers keep working on the previous v0.0.x tags.
• GHA layer cache enabled for every image build (type=gha,mode=max, scoped per image+arch). Iterative PRs see major build-time improvements.
• Refreshed base images to currently-supported upstream tags: ubuntu 22.04 → 24.04, node bullseye → bookworm, maven 3.8.5-openjdk-8 → 3.9-eclipse-temurin-17, openjdk:19-jdk-alpine3.16 → eclipse-temurin:17-jre-jammy (multi-arch), python:3.8-alpine3.20 → python:3.11-alpine, awscli 2.25.5 → 2.34.53.
• CI hygiene: all GitHub Actions are SHA-pinned with Dependabot tracking.

What's Changed

• refactor: delete legacy static-image plumbing (phase 2 of #3) (#64) @sam-at-luther
• chore: drop vestigial multi-build-* matrix targets (phase 0 of #3) (#63) @sam-at-luther
• ci: GHA layer cache + refresh stale container bases (#57) (#62) @sam-at-luther
• Bump actions/checkout from 5.0.1 to 6.0.2 in the actions group (#61) @dependabot
• chore: SHA-pin Actions and add Dependabot config (#60) @sam-at-luther

Upgrade notes

• Downstream consumers already on multi-stage Dockerfile-go (substrate, connectorhub, lutherauth, ui-core, cross-department-claims-settlement, sandbox-template + clones): bump BUILDENV_TAG=v0.1.0. No code change needed.
• Stale consumers still relying on the embedded make static (libmxf, metrics, datadog-monitor-aggregator): stay on v0.0.98 or earlier. Migrate to multi-stage before bumping past this tag.
• Image tag scheme, multi-arch manifest naming, Docker Hub repository names: unchanged.

Full Changelog: v0.0.98...v0.1.0

v0.0.98

What's Changed

• fix: reduce CVEs in build-go-alpine and service-base-alpine (#59) @sam-at-luther

Summary

• Go 1.26.1 → 1.26.2
• Alpine 3.22 → 3.23
• golangci-lint switched from prebuilt binary to go install @v${VERSION} so it is rebuilt with the pinned Go toolchain.

Docker Scout — build-go-alpine

	Critical	High	Medium	Low	Unspec	Total
v0.0.97	1	13	25	2	1	42
v0.0.98	0	6	15	1	0	22

All 22 remaining CVEs are in Alpine 3.23 apk packages with upstream status not fixed (binutils, curl, nghttp2, unzip, git-lfs, openssh, busybox).

service-base-alpine: unchanged behaviorally; still 1 Medium busybox CVE (not fixed upstream).

Full Changelog: v0.0.97...v0.0.98

v0.0.97

What's Changed

• fix: replace BuildJet ARM runners with GitHub-hosted ARM runners by @sam-at-luther in #56
• fix: refresh container base packages by @sam-at-luther in #58

Full Changelog: v0.0.96...v0.0.97

v0.0.96

Changes

• Fix docker buildx build --load failure in build containers by reverting to docker build (#52)
• Bump Go from 1.25.1 to 1.25.8 (#53)
• Bump Alpine from 3.21 to 3.22 (required for Go 1.25.8 Docker images)

v0.0.96-SNAPSHOT.5

use root_app

v0.0.96-SNAPSHOT.4

update static file to copy uv lockfile

v0.0.96-SNAPSHOT.3

add platform flag

v0.0.96-SNAPSHOT.2

Add python build image and support multi-stage build

- Rename Dockerfile.build-python-agent.static to Dockerfile.build-python.static
- Update Dockerfile.build-python to install docker-buildx plugin
- Update Makefiles to support python build target
- Update GitHub Actions workflows to include multi-build-python image

v0.0.96-SNAPSHOT.1

Add initial python container builds

v0.0.95 - Use docker buildx instead of legacy docker build

Changes

• Replace deprecated docker build with docker buildx build --load in all build Makefiles
• Fixes deprecation warnings about legacy builder
• Updated: build-go.mk, build-java.mk, build-js.mk, build-godynamic.mk