ci: updates to latest docker scripts

.github/deploy-template.yml

@@ -17,20 +17,21 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-20.04  # newest available distribution, aka focal
+    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ./m2repository  # Shared with the Docker build context via .dockerignore
           key: ${{ runner.os }}-{{VERSION}}-maven-${{ hashFiles('parent-pom.xml', '{{VERSION}}/pom.xml') }}
           restore-keys: ${{ runner.os }}-{{VERSION}}-maven-
-      # We can't cache Docker without using buildx because GH actions restricts /var/lib/docker
-      # That's ok because DOCKER_PARENT_IMAGE is always ghcr.io and local anyway.
+      # Don't attempt to cache Docker. Sensitive information can be stolen
+      # via forks, and login session ends up in ~/.docker. This is ok because
+      # we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner.
       - name: Deploy {{VERSION}}
         env:
           # GH_USER=<user that created GH_TOKEN>

.github/test-template.yml

@@ -16,20 +16,21 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-20.04  # newest available distribution, aka focal
+    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ./m2repository  # Shared with the Docker build context via .dockerignore
           key: ${{ runner.os }}-{{VERSION}}-maven-${{ hashFiles('parent-pom.xml', '{{VERSION}}/pom.xml') }}
           restore-keys: ${{ runner.os }}-{{VERSION}}-maven-
-      # We can't cache Docker without using buildx because GH actions restricts /var/lib/docker
-      # That's ok because DOCKER_PARENT_IMAGE is always ghcr.io and local anyway.
+      # Don't attempt to cache Docker. Sensitive information can be stolen
+      # via forks, and login session ends up in ~/.docker. This is ok because
+      # we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner.
       - name: Test {{VERSION}}
         run: |
           build-bin/configure_test {{VERSION}} &&

.github/workflows/deploy-armeria-kafka.yml

@@ -17,20 +17,21 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-20.04  # newest available distribution, aka focal
+    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ./m2repository  # Shared with the Docker build context via .dockerignore
           key: ${{ runner.os }}-armeria-kafka-maven-${{ hashFiles('parent-pom.xml', 'armeria-kafka/pom.xml') }}
           restore-keys: ${{ runner.os }}-armeria-kafka-maven-
-      # We can't cache Docker without using buildx because GH actions restricts /var/lib/docker
-      # That's ok because DOCKER_PARENT_IMAGE is always ghcr.io and local anyway.
+      # Don't attempt to cache Docker. Sensitive information can be stolen
+      # via forks, and login session ends up in ~/.docker. This is ok because
+      # we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner.
       - name: Deploy armeria-kafka
         env:
           # GH_USER=<user that created GH_TOKEN>

.github/workflows/deploy-armeria.yml

@@ -17,20 +17,21 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-20.04  # newest available distribution, aka focal
+    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ./m2repository  # Shared with the Docker build context via .dockerignore
           key: ${{ runner.os }}-armeria-maven-${{ hashFiles('parent-pom.xml', 'armeria/pom.xml') }}
           restore-keys: ${{ runner.os }}-armeria-maven-
-      # We can't cache Docker without using buildx because GH actions restricts /var/lib/docker
-      # That's ok because DOCKER_PARENT_IMAGE is always ghcr.io and local anyway.
+      # Don't attempt to cache Docker. Sensitive information can be stolen
+      # via forks, and login session ends up in ~/.docker. This is ok because
+      # we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner.
       - name: Deploy armeria
         env:
           # GH_USER=<user that created GH_TOKEN>

.github/workflows/deploy-dropwizard.yml

@@ -17,20 +17,21 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-20.04  # newest available distribution, aka focal
+    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ./m2repository  # Shared with the Docker build context via .dockerignore
           key: ${{ runner.os }}-dropwizard-maven-${{ hashFiles('parent-pom.xml', 'dropwizard/pom.xml') }}
           restore-keys: ${{ runner.os }}-dropwizard-maven-
-      # We can't cache Docker without using buildx because GH actions restricts /var/lib/docker
-      # That's ok because DOCKER_PARENT_IMAGE is always ghcr.io and local anyway.
+      # Don't attempt to cache Docker. Sensitive information can be stolen
+      # via forks, and login session ends up in ~/.docker. This is ok because
+      # we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner.
       - name: Deploy dropwizard
         env:
           # GH_USER=<user that created GH_TOKEN>

.github/workflows/deploy-jersey2-cassandra3.yml

@@ -17,20 +17,21 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-20.04  # newest available distribution, aka focal
+    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ./m2repository  # Shared with the Docker build context via .dockerignore
           key: ${{ runner.os }}-jersey2-cassandra3-maven-${{ hashFiles('parent-pom.xml', 'jersey2-cassandra3/pom.xml') }}
           restore-keys: ${{ runner.os }}-jersey2-cassandra3-maven-
-      # We can't cache Docker without using buildx because GH actions restricts /var/lib/docker
-      # That's ok because DOCKER_PARENT_IMAGE is always ghcr.io and local anyway.
+      # Don't attempt to cache Docker. Sensitive information can be stolen
+      # via forks, and login session ends up in ~/.docker. This is ok because
+      # we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner.
       - name: Deploy jersey2-cassandra3
         env:
           # GH_USER=<user that created GH_TOKEN>

.github/workflows/deploy-netty4-grpc.yml

@@ -17,20 +17,21 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-20.04  # newest available distribution, aka focal
+    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ./m2repository  # Shared with the Docker build context via .dockerignore
           key: ${{ runner.os }}-netty4-grpc-maven-${{ hashFiles('parent-pom.xml', 'netty4-grpc/pom.xml') }}
           restore-keys: ${{ runner.os }}-netty4-grpc-maven-
-      # We can't cache Docker without using buildx because GH actions restricts /var/lib/docker
-      # That's ok because DOCKER_PARENT_IMAGE is always ghcr.io and local anyway.
+      # Don't attempt to cache Docker. Sensitive information can be stolen
+      # via forks, and login session ends up in ~/.docker. This is ok because
+      # we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner.
       - name: Deploy netty4-grpc
         env:
           # GH_USER=<user that created GH_TOKEN>

.github/workflows/deploy-ratpack.yml

@@ -17,20 +17,21 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-20.04  # newest available distribution, aka focal
+    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ./m2repository  # Shared with the Docker build context via .dockerignore
           key: ${{ runner.os }}-ratpack-maven-${{ hashFiles('parent-pom.xml', 'ratpack/pom.xml') }}
           restore-keys: ${{ runner.os }}-ratpack-maven-
-      # We can't cache Docker without using buildx because GH actions restricts /var/lib/docker
-      # That's ok because DOCKER_PARENT_IMAGE is always ghcr.io and local anyway.
+      # Don't attempt to cache Docker. Sensitive information can be stolen
+      # via forks, and login session ends up in ~/.docker. This is ok because
+      # we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner.
       - name: Deploy ratpack
         env:
           # GH_USER=<user that created GH_TOKEN>

.github/workflows/deploy-webflux5-sleuth.yml

@@ -17,20 +17,21 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-20.04  # newest available distribution, aka focal
+    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ./m2repository  # Shared with the Docker build context via .dockerignore
           key: ${{ runner.os }}-webflux5-sleuth-maven-${{ hashFiles('parent-pom.xml', 'webflux5-sleuth/pom.xml') }}
           restore-keys: ${{ runner.os }}-webflux5-sleuth-maven-
-      # We can't cache Docker without using buildx because GH actions restricts /var/lib/docker
-      # That's ok because DOCKER_PARENT_IMAGE is always ghcr.io and local anyway.
+      # Don't attempt to cache Docker. Sensitive information can be stolen
+      # via forks, and login session ends up in ~/.docker. This is ok because
+      # we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner.
       - name: Deploy webflux5-sleuth
         env:
           # GH_USER=<user that created GH_TOKEN>

.github/workflows/deploy-webmvc25-jetty.yml

@@ -17,20 +17,21 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-20.04  # newest available distribution, aka focal
+    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ./m2repository  # Shared with the Docker build context via .dockerignore
           key: ${{ runner.os }}-webmvc25-jetty-maven-${{ hashFiles('parent-pom.xml', 'webmvc25-jetty/pom.xml') }}
           restore-keys: ${{ runner.os }}-webmvc25-jetty-maven-
-      # We can't cache Docker without using buildx because GH actions restricts /var/lib/docker
-      # That's ok because DOCKER_PARENT_IMAGE is always ghcr.io and local anyway.
+      # Don't attempt to cache Docker. Sensitive information can be stolen
+      # via forks, and login session ends up in ~/.docker. This is ok because
+      # we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner.
       - name: Deploy webmvc25-jetty
         env:
           # GH_USER=<user that created GH_TOKEN>

.github/workflows/deploy-webmvc3-jetty.yml

@@ -17,20 +17,21 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-20.04  # newest available distribution, aka focal
+    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ./m2repository  # Shared with the Docker build context via .dockerignore
           key: ${{ runner.os }}-webmvc3-jetty-maven-${{ hashFiles('parent-pom.xml', 'webmvc3-jetty/pom.xml') }}
           restore-keys: ${{ runner.os }}-webmvc3-jetty-maven-
-      # We can't cache Docker without using buildx because GH actions restricts /var/lib/docker
-      # That's ok because DOCKER_PARENT_IMAGE is always ghcr.io and local anyway.
+      # Don't attempt to cache Docker. Sensitive information can be stolen
+      # via forks, and login session ends up in ~/.docker. This is ok because
+      # we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner.
       - name: Deploy webmvc3-jetty
         env:
           # GH_USER=<user that created GH_TOKEN>

.github/workflows/deploy-webmvc4-boot.yml

@@ -17,20 +17,21 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-20.04  # newest available distribution, aka focal
+    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ./m2repository  # Shared with the Docker build context via .dockerignore
           key: ${{ runner.os }}-webmvc4-boot-maven-${{ hashFiles('parent-pom.xml', 'webmvc4-boot/pom.xml') }}
           restore-keys: ${{ runner.os }}-webmvc4-boot-maven-
-      # We can't cache Docker without using buildx because GH actions restricts /var/lib/docker
-      # That's ok because DOCKER_PARENT_IMAGE is always ghcr.io and local anyway.
+      # Don't attempt to cache Docker. Sensitive information can be stolen
+      # via forks, and login session ends up in ~/.docker. This is ok because
+      # we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner.
       - name: Deploy webmvc4-boot
         env:
           # GH_USER=<user that created GH_TOKEN>

.github/workflows/deploy-webmvc4-jetty.yml

@@ -17,20 +17,21 @@ on:
 
 jobs:
   deploy:
-    runs-on: ubuntu-20.04  # newest available distribution, aka focal
+    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ./m2repository  # Shared with the Docker build context via .dockerignore
           key: ${{ runner.os }}-webmvc4-jetty-maven-${{ hashFiles('parent-pom.xml', 'webmvc4-jetty/pom.xml') }}
           restore-keys: ${{ runner.os }}-webmvc4-jetty-maven-
-      # We can't cache Docker without using buildx because GH actions restricts /var/lib/docker
-      # That's ok because DOCKER_PARENT_IMAGE is always ghcr.io and local anyway.
+      # Don't attempt to cache Docker. Sensitive information can be stolen
+      # via forks, and login session ends up in ~/.docker. This is ok because
+      # we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner.
       - name: Deploy webmvc4-jetty
         env:
           # GH_USER=<user that created GH_TOKEN>

.github/workflows/test-armeria-kafka.yml

@@ -16,20 +16,21 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-20.04  # newest available distribution, aka focal
+    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ./m2repository  # Shared with the Docker build context via .dockerignore
           key: ${{ runner.os }}-armeria-kafka-maven-${{ hashFiles('parent-pom.xml', 'armeria-kafka/pom.xml') }}
           restore-keys: ${{ runner.os }}-armeria-kafka-maven-
-      # We can't cache Docker without using buildx because GH actions restricts /var/lib/docker
-      # That's ok because DOCKER_PARENT_IMAGE is always ghcr.io and local anyway.
+      # Don't attempt to cache Docker. Sensitive information can be stolen
+      # via forks, and login session ends up in ~/.docker. This is ok because
+      # we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner.
       - name: Test armeria-kafka
         run: |
           build-bin/configure_test armeria-kafka &&