From 301c470744499c01e09a9772f5a6453ec5d230da Mon Sep 17 00:00:00 2001
From: Itai Segall <itai.segall@digitalasset.com>
Date: Fri, 22 May 2026 18:03:58 +0000
Subject: [PATCH 1/6] [ci] test da base images 1.0.7

Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
---
 cluster/images/splice-app/Dockerfile | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/cluster/images/splice-app/Dockerfile b/cluster/images/splice-app/Dockerfile
index 19659a959e..6961dcfbd0 100644
--- a/cluster/images/splice-app/Dockerfile
+++ b/cluster/images/splice-app/Dockerfile
@@ -1,19 +1,7 @@
 # Copyright (c) 2024 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-# docker run --rm -it eclipse-temurin:21-jdk-noble java -version
-# openjdk version "21.0.10" 2026-01-20 LTS
-# OpenJDK 64-Bit Server VM Temurin-21.0.10+7 (build 21.0.10+7-LTS, mixed mode, sharing)
-FROM eclipse-temurin:21-jdk-noble@sha256:efec1fca48fed530d4727c1ecd9c48d955153bad24067ee43ccf55e6e0d727c7
-
-# Install:
-# - screen for running the console in a headless server
-# - tini for handling signals and reaping zombie processes
-# - libjemalloc2 for debugging memory issues
-RUN apt-get update \
-   && DEBIAN_FRONTEND=noninteractive apt-get install -y screen tini libjemalloc2 \
-   && apt-get clean \
-   && rm -rf /var/lib/apt/lists/*
+FROM europe-docker.pkg.dev/da-images/public/docker/da-base-image:full-1.0.7@sha256:fb788e6f89eb6f28cee53dfc6c707d2d39aedcbc201d5c0c416e42b3da6f4fcd
 
 # create and switch to a working directory
 RUN mkdir /app

From 33a1220d15acfa4750f42b78c9a180d471844ea9 Mon Sep 17 00:00:00 2001
From: Itai Segall <itai.segall@digitalasset.com>
Date: Fri, 22 May 2026 18:25:17 +0000
Subject: [PATCH 2/6] [ci] don't recreate dir

Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
---
 cluster/images/splice-app/Dockerfile | 2 --
 1 file changed, 2 deletions(-)

diff --git a/cluster/images/splice-app/Dockerfile b/cluster/images/splice-app/Dockerfile
index 6961dcfbd0..e9c09a2f81 100644
--- a/cluster/images/splice-app/Dockerfile
+++ b/cluster/images/splice-app/Dockerfile
@@ -3,8 +3,6 @@
 
 FROM europe-docker.pkg.dev/da-images/public/docker/da-base-image:full-1.0.7@sha256:fb788e6f89eb6f28cee53dfc6c707d2d39aedcbc201d5c0c416e42b3da6f4fcd
 
-# create and switch to a working directory
-RUN mkdir /app
 WORKDIR /app
 
 # move tarball to a static name

From 9c2028eda24a36522a268c03b76b4463abc422f8 Mon Sep 17 00:00:00 2001
From: Itai Segall <itai.segall@digitalasset.com>
Date: Fri, 22 May 2026 18:34:08 +0000
Subject: [PATCH 3/6] [ci] fix it

Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
---
 cluster/images/splice-app/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cluster/images/splice-app/Dockerfile b/cluster/images/splice-app/Dockerfile
index e9c09a2f81..d60eca7549 100644
--- a/cluster/images/splice-app/Dockerfile
+++ b/cluster/images/splice-app/Dockerfile
@@ -9,12 +9,12 @@ WORKDIR /app
 ADD target/splice-node.tar.gz .
 
 COPY target/storage.conf target/monitoring.conf target/parameters.conf target/entrypoint.sh target/bootstrap-entrypoint.sc target/tools.sh target/logback.xml target/LICENSE /app/
+
+USER root
 RUN mkdir -p /app/splice-node/docs/html/cn-release-bundles
 
 RUN ln -s splice-node/bin/splice-node splice-image-bin
 
-RUN addgroup --gid 1001 nonroot && adduser --uid 1001 --gid 1001 nonroot
-RUN chown -R nonroot:nonroot /app
 RUN chown nonroot:nonroot splice-image-bin
 USER nonroot
 

From d5eb833fbd5096f15449e18eeceaac3962a718b3 Mon Sep 17 00:00:00 2001
From: Itai Segall <itai.segall@digitalasset.com>
Date: Fri, 22 May 2026 20:04:47 +0000
Subject: [PATCH 4/6] [ci] use wget instead of curl for healthcheck

Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
---
 cluster/images/scan-app/Dockerfile      | 2 +-
 cluster/images/sv-app/Dockerfile        | 2 +-
 cluster/images/validator-app/Dockerfile | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/cluster/images/scan-app/Dockerfile b/cluster/images/scan-app/Dockerfile
index 5425a6c732..079b8a442b 100644
--- a/cluster/images/scan-app/Dockerfile
+++ b/cluster/images/scan-app/Dockerfile
@@ -14,4 +14,4 @@ EXPOSE 10013
 COPY app.conf /app/
 
 HEALTHCHECK --start-period=10m \
-  CMD curl -f http://localhost:5012/api/scan/readyz || exit 1
+  CMD wget --no-verbose --tries=1 --spider http://localhost:5012/api/scan/readyz || exit 1
diff --git a/cluster/images/sv-app/Dockerfile b/cluster/images/sv-app/Dockerfile
index e5b92d6a22..74af45b87a 100644
--- a/cluster/images/sv-app/Dockerfile
+++ b/cluster/images/sv-app/Dockerfile
@@ -14,4 +14,4 @@ EXPOSE 10013
 COPY app.conf /app/
 
 HEALTHCHECK --start-period=10m \
-  CMD curl -f http://localhost:5014/api/sv/readyz || exit 1
+  CMD wget --no-verbose --tries=1 --spider http://localhost:5014/api/sv/readyz || exit 1
diff --git a/cluster/images/validator-app/Dockerfile b/cluster/images/validator-app/Dockerfile
index bca2fcc676..dccc221056 100644
--- a/cluster/images/validator-app/Dockerfile
+++ b/cluster/images/validator-app/Dockerfile
@@ -13,4 +13,4 @@ EXPOSE 10013
 COPY app.conf bootstrap.sc pre-bootstrap.sh /app/
 
 HEALTHCHECK --start-period=10m \
-  CMD curl -f http://localhost:5003/api/validator/readyz || exit 1
+  CMD wget --no-verbose --tries=1 --spider http://localhost:5003/api/validator/readyz || exit 1

From 10633b1e58b55499109533bb448232c2f0161bd3 Mon Sep 17 00:00:00 2001
From: Itai Segall <itai.segall@digitalasset.com>
Date: Fri, 22 May 2026 22:40:13 +0000
Subject: [PATCH 5/6] [ci] also canton images, and healthchecks in compose

Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
---
 .../compose/localnet/docker/splice/health-check.sh   | 10 +++++-----
 nix/canton-sources.json                              | 12 ++++++------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/cluster/compose/localnet/docker/splice/health-check.sh b/cluster/compose/localnet/docker/splice/health-check.sh
index 99fea26089..58fe4ab3b7 100755
--- a/cluster/compose/localnet/docker/splice/health-check.sh
+++ b/cluster/compose/localnet/docker/splice/health-check.sh
@@ -5,13 +5,13 @@
 set -eou pipefail
 
 if [ "$APP_USER_PROFILE" = "on" ]; then
-  curl -f "http://localhost:2${VALIDATOR_ADMIN_API_PORT_SUFFIX}/api/validator/readyz"
+  wget --no-verbose --tries=1 --spider "http://localhost:2${VALIDATOR_ADMIN_API_PORT_SUFFIX}/api/validator/readyz"
 fi
 if [ "$APP_PROVIDER_PROFILE" = "on" ]; then
-  curl -f "http://localhost:3${VALIDATOR_ADMIN_API_PORT_SUFFIX}/api/validator/readyz"
+  wget --no-verbose --tries=1 --spider "http://localhost:3${VALIDATOR_ADMIN_API_PORT_SUFFIX}/api/validator/readyz"
 fi
 if [ "$SV_PROFILE" = "on" ]; then
-  curl -f "http://localhost:4${VALIDATOR_ADMIN_API_PORT_SUFFIX}/api/validator/readyz"
-  curl -f http://localhost:5012/api/scan/readyz
-  curl -f http://localhost:5014/api/sv/readyz
+  wget --no-verbose --tries=1 --spider "http://localhost:4${VALIDATOR_ADMIN_API_PORT_SUFFIX}/api/validator/readyz"
+  wget --no-verbose --tries=1 --spider http://localhost:5012/api/scan/readyz
+  wget --no-verbose --tries=1 --spider http://localhost:5014/api/sv/readyz
 fi
diff --git a/nix/canton-sources.json b/nix/canton-sources.json
index ae04df9028..2fbd96444c 100644
--- a/nix/canton-sources.json
+++ b/nix/canton-sources.json
@@ -1,8 +1,8 @@
 {
-  "version": "3.5.1-snapshot.20260521.18898.0.vb3ea024f",
-  "oss_sha256": "sha256:082cr8djj974zg3xvjfwkakh2860av8k2azah3bhlsnb05gscj9j",
-  "canton_base_image_sha256": "sha256:0809c7660585383bc9e64d38e990bfee96a24edaf694b30c9cdce204eb8c2e94",
-  "canton_participant_image_sha256": "sha256:861e1298014db47dedc64dee97a7ca4cf04a35fc2d7f94ad9b4edbc4856ad98a",
-  "canton_mediator_image_sha256": "sha256:33ef6caa5591b0a77ed7f074a72df18e9dd5b7a33ff44f11a37a02c2b27cdb9a",
-  "canton_sequencer_image_sha256": "sha256:189ca62c5cc0e91270681e2d2f3c82c1800356e43738835ae740b559192c6b41"
+  "version": "3.5.1-ad-hoc.20260522.18840.0.v6f301abc",
+  "oss_sha256": "sha256:0axjxnlzkzrjkg7ff5v5kwyik26h3b3ccj1h2zryhfhlsqixnyh6",
+  "canton_base_image_sha256": "sha256:16d2aa103927f03294106960b8ed6c1ac5d7341dbfb4b1309e36a2ff88895939",
+  "canton_participant_image_sha256": "sha256:8a2629141dfaa01f7898341071edb455ada8e1d134c0801f8e2e571c45b141e7",
+  "canton_mediator_image_sha256": "sha256:64a6faf90a7d7952424a57eb24ab5d2517fe7bdaf53af2ce458c71d3b92855a9",
+  "canton_sequencer_image_sha256": "sha256:284f1d9a5e73088b196f94e65df7df01b1504d70778fbe428a110e3b0aa01041"
 }

From 4282df12a98dca5c6e1a7714e0fee691aaf02de7 Mon Sep 17 00:00:00 2001
From: Itai Segall <itai.segall@digitalasset.com>
Date: Sat, 23 May 2026 01:07:54 +0000
Subject: [PATCH 6/6] [ci] bump again

Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
---
 nix/canton-sources.json | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/nix/canton-sources.json b/nix/canton-sources.json
index 2fbd96444c..07418272e7 100644
--- a/nix/canton-sources.json
+++ b/nix/canton-sources.json
@@ -1,8 +1,8 @@
 {
-  "version": "3.5.1-ad-hoc.20260522.18840.0.v6f301abc",
-  "oss_sha256": "sha256:0axjxnlzkzrjkg7ff5v5kwyik26h3b3ccj1h2zryhfhlsqixnyh6",
-  "canton_base_image_sha256": "sha256:16d2aa103927f03294106960b8ed6c1ac5d7341dbfb4b1309e36a2ff88895939",
-  "canton_participant_image_sha256": "sha256:8a2629141dfaa01f7898341071edb455ada8e1d134c0801f8e2e571c45b141e7",
-  "canton_mediator_image_sha256": "sha256:64a6faf90a7d7952424a57eb24ab5d2517fe7bdaf53af2ce458c71d3b92855a9",
-  "canton_sequencer_image_sha256": "sha256:284f1d9a5e73088b196f94e65df7df01b1504d70778fbe428a110e3b0aa01041"
+  "version": "3.5.1-ad-hoc.20260522.18905.0.vb3babac7",
+  "oss_sha256": "sha256:0qk05lng56qflijmbi91cnsimlwbz61p7mjxyrrp8s52k96s51ah",
+  "canton_base_image_sha256": "sha256:9230d06014e1c0ab9b8f6fb49d113fba6dcc58f34ccf726260383bfe49213ef1",
+  "canton_participant_image_sha256": "sha256:e72672331f8b196f3fa15cf7fff6f45b7d872242e5ed355d7e6a3d9978b90554",
+  "canton_mediator_image_sha256": "sha256:461bad73151b319f9103b68d813cfad7dcd0e14f2143ad146a2b5e85ca8516c9",
+  "canton_sequencer_image_sha256": "sha256:c48589e0c353bc74addbb751acec648458175eedbc10ccce6804fbdb6b522f1a"
 }