├── VERSION ├── .gitignore ├── .github ├── CODEOWNERS ├── FUNDING.yml ├── dependabot.yml ├── CONTRIBUTING.md ├── stale.yml └── workflows │ ├── codeql.yml │ ├── checksrc.yml │ ├── build_master_multi.yml │ ├── build_master.yml │ ├── build_ci_multi.yml │ ├── build_master_dev.yml │ └── build_latest_release_multi.yml ├── cosign.pub ├── etc └── entrypoint.sh ├── dev-compose.yml ├── tests ├── test.feature ├── steps │ └── features.py └── test_image.sh ├── Containerfile ├── SECURITY.md ├── LICENSE ├── create_multi.sh ├── create_appliance_image.sh ├── adrs └── 01-design.md ├── create_dev_image.sh ├── CHANGELOG.md ├── create_base_image.sh ├── README.md └── Makefile /VERSION: -------------------------------------------------------------------------------- 1 | 8.17.0 -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | venv 3 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2023 James Fuller, , et al. 2 | # 3 | # SPDX-License-Identifier: curl 4 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2023 James Fuller, , et al. 2 | # 3 | # SPDX-License-Identifier: curl-container 4 | 5 | github: curl 6 | open_collective: curl 7 | -------------------------------------------------------------------------------- /cosign.pub: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwFTRXl79xRiAFa5ZX4aZ7Vkdqmji 3 | 5WY0zqc3bd6B08CsNftlYsu2gAqdWm0IlzoQpi2Zi5C437RTg/DgLQ6Bkg== 4 | -----END PUBLIC KEY----- 5 | -------------------------------------------------------------------------------- /etc/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Copyright (C) 2023 James Fuller, , et al. 4 | # 5 | # SPDX-License-Identifier: MIT 6 | # 7 | 8 | set -e 9 | 10 | if [ "${1#-}" != "${1}" ] || [ -z "$(command -v "${1}")" ]; then 11 | set -- curl "$@" 12 | fi 13 | 14 | exec "$@" 15 | -------------------------------------------------------------------------------- /dev-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | buildah-service: 5 | container_name: buildah-service 6 | build: 7 | context: . 8 | dockerfile: Containerfile 9 | image: buildah-service 10 | privileged: true 11 | stdin_open: true 12 | tty: true 13 | environment: 14 | DEBUG: 1 15 | volumes: 16 | - $HOME/src/curl-container:/opt/app-root/src 17 | - $HOME/src/curl:/opt/app-root/curl 18 | -------------------------------------------------------------------------------- /tests/test.feature: -------------------------------------------------------------------------------- 1 | Feature: curl-images 2 | 3 | Scenario: Run curl images 4 | 5 | Given running > podman run -it localhost/curl:master -V 6 | 7 | Given running > podman run -it localhost/curl-dev:master curl -V 8 | 9 | Given running > podman run -it localhost/curl-base:master curl -V 10 | 11 | Given running > podman run -it localhost/curl-multi:master -V 12 | 13 | Given running > podman run -it localhost/curl-base-multi:master curl -V 14 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # Copyright (C) Viktor Szakats. See LICENSE.md 2 | # SPDX-License-Identifier: MIT 3 | 4 | # https://docs.github.com/code-security/dependabot/working-with-dependabot/dependabot-options-reference 5 | 6 | version: 2 7 | updates: 8 | - package-ecosystem: 'github-actions' 9 | directory: '/' 10 | schedule: 11 | interval: 'monthly' 12 | cooldown: 13 | default-days: 7 14 | groups: 15 | gha-dependencies: 16 | patterns: 17 | - '*' 18 | commit-message: 19 | prefix: 'GHA:' 20 | -------------------------------------------------------------------------------- /Containerfile: -------------------------------------------------------------------------------- 1 | ############################################################### 2 | # 3 | # Copyright (C) 2023 James Fuller, , et al. 4 | # 5 | # SPDX-License-Identifier: curl-container 6 | ############################################################### 7 | # 8 | # used as dev environment for curl-container 9 | # 10 | # 11 | 12 | from quay.io/buildah/stable:latest 13 | 14 | RUN dnf --nodocs --setopt install_weak_deps=false -y install less git make podman qemu qemu-user-static buildah clamav clamav-freshclam 15 | 16 | WORKDIR /opt/app-root/src/ 17 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 5 | # Security Policy 6 | 7 | See curl's 8 | [VULN-DISCLOSURE-POLICY.md](https://github.com/curl/curl/blob/master/docs/VULN-DISCLOSURE-POLICY.md) 9 | for full details. 10 | 11 | ## Reporting a Vulnerability 12 | 13 | If you have found or just suspect a security problem somewhere in curl, 14 | report it on [https://hackerone.com/curl](https://hackerone.com/curl). 15 | 16 | We treat security issues with confidentiality until controlled and disclosed responsibly. 17 | -------------------------------------------------------------------------------- /.github/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | 6 | 7 | How to contribute to curl 8 | ========================= 9 | 10 | Join the community 11 | ------------------ 12 | 13 | 1. Click 'watch' on the GitHub repo 14 | 15 | 2. Subscribe to the suitable [mailing lists](https://curl.se/mail/) 16 | 17 | Read [CONTRIBUTE](../docs/CONTRIBUTE.md) 18 | --------------------------------------- 19 | 20 | Send your suggestions using one of these methods: 21 | ------------------------------------------------- 22 | 23 | 1. in a mail to the mailing list 24 | 25 | 2. as a [pull request](https://github.com/curl/curl-container/pulls) 26 | 27 | 3. as an [issue](https://github.com/curl/curl-container/issues) 28 | 29 | / The curl-container team! 30 | -------------------------------------------------------------------------------- /tests/steps/features.py: -------------------------------------------------------------------------------- 1 | import json 2 | import re 3 | 4 | from behave import given, then 5 | 6 | def cleanup_output(data): 7 | """strip output of ansi esc sequences (eg. color codes)""" 8 | ansi_escape = re.compile(r"\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])") 9 | return ansi_escape.sub("", data) 10 | 11 | @given(u'running > podman run -it {image} curl -V') 12 | def invoke_podman_image_vflag(context, image): 13 | import subprocess 14 | cmd = f"podman run -it {image} curl -V".split() 15 | p = subprocess.run(cmd,capture_output=True, text=True) 16 | assert p.returncode == 0 17 | 18 | @given(u'running > podman run -it {image} -V') 19 | def invoke_podman_image(context, image): 20 | import subprocess 21 | cmd = f"podman run -it {image} -V".split() 22 | p = subprocess.run(cmd,capture_output=True, text=True) 23 | assert p.returncode == 0 24 | -------------------------------------------------------------------------------- /.github/stale.yml: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2023 James Fuller, , et al. 2 | # 3 | # SPDX-License-Identifier: curl-container 4 | 5 | # Number of days of inactivity before an issue becomes stale 6 | daysUntilStale: 180 7 | # Number of days of inactivity before a stale issue is closed 8 | daysUntilClose: 14 9 | # Issues with these labels will never be considered stale 10 | exemptLabels: 11 | - pinned 12 | - security 13 | # Label to use when marking an issue as stale 14 | staleLabel: stale 15 | # Comment to post when marking an issue as stale. Set to `false` to disable 16 | markComment: > 17 | This issue has been automatically marked as stale because it has not had 18 | recent activity. It will be closed if no further activity occurs. Thank you 19 | for your contributions. 20 | # Comment to post when closing a stale issue. Set to `false` to disable 21 | closeComment: false 22 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 James Fuller 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /.github/workflows/codeql.yml: -------------------------------------------------------------------------------- 1 | name: 'CodeQL' 2 | 3 | 'on': 4 | push: 5 | branches: 6 | - main 7 | pull_request: 8 | branches: 9 | - main 10 | schedule: 11 | - cron: '0 0 * * 4' 12 | 13 | concurrency: 14 | group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} 15 | cancel-in-progress: true 16 | 17 | permissions: {} 18 | 19 | jobs: 20 | gha_python: 21 | if: ${{ github.repository_owner == 'curl' || github.event_name != 'schedule' }} 22 | name: 'GHA and Python' 23 | runs-on: ubuntu-latest 24 | permissions: 25 | security-events: write # To create/update security events 26 | steps: 27 | - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 28 | with: 29 | persist-credentials: false 30 | 31 | - name: 'initialize' 32 | uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 33 | with: 34 | languages: actions, python 35 | queries: security-extended 36 | 37 | - name: 'perform analysis' 38 | uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 39 | -------------------------------------------------------------------------------- /tests/test_image.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | ############################################################### 3 | # 4 | # Copyright (C) 2023 James Fuller, , et al. 5 | # 6 | # SPDX-License-Identifier: curl-container 7 | ############################################################### 8 | # 9 | # ex. 10 | # > test_image.sh {branch or tag} 11 | # 12 | # 13 | # Copyright (C) 2023 James Fuller, , et al. 14 | # 15 | # SPDX-License-Identifier: curl-container 16 | echo "####### testing curl dev image." 17 | 18 | # get invoke opts 19 | dist=${1} 20 | branch_or_tag=${2} 21 | 22 | # create and mount image 23 | ctr=$(buildah from ${dist}:${branch_or_tag}) 24 | ctrmnt=$(buildah mount $ctr) 25 | 26 | # check file exists 27 | if [[ ! -f "$ctrmnt/usr/bin/curl" ]]; then 28 | echo "/usr/bin/curl does not exist." 29 | fi 30 | if [[ ! -f "$ctrmnt/usr/lib/libcurl.so.4.8.0" ]]; then 31 | echo "/usr/lib/libcurl.so.4.8.0 does not exist." 32 | fi 33 | 34 | # check symlink exists and is not broken 35 | if [ ! -L "$ctrmnt/usr/lib/libcurl.so.4" ] && [ ! -e "$ctrmnt/usr/lib/libcurl.so.4" ]; then 36 | echo "/usr/lib/libcurl.so.4 symlink does not exist or is broken." 37 | fi 38 | if [ ! -L "$ctrmnt/usr/lib/libcurl.so" ] && [ ! -e "$ctrmnt/usr/lib/libcurl.so" ]; then 39 | echo "/usr/lib/libcurl.so symlink does not exist or is broken." 40 | fi 41 | 42 | # test running curl 43 | buildah run $ctr /usr/bin/curl -V 44 | -------------------------------------------------------------------------------- /create_multi.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | ############################################################### 3 | # 4 | # Copyright (C) 2023 James Fuller, , et al. 5 | # 6 | # SPDX-License-Identifier: curl-container 7 | ############################################################### 8 | # 9 | # Create a multi arch image 10 | # ex. 11 | # > create_multi.sh { 12 | # 13 | # get invoke opts 14 | base=${1} 15 | compiler=${2} 16 | dev_deps=${3} 17 | base_deps=${4} 18 | build_opts=${5} 19 | branch_or_ref=${6} 20 | release_tag=${7} 21 | 22 | echo "####### creating curl multi image." 23 | buildah manifest create curl-base-multi:${release_tag} 24 | buildah manifest create curl-multi:${release_tag} 25 | 26 | # loop through supported arches 27 | for IMGTAG in "linux/386" "linux/arm/v7" "linux/amd64" "linux/arm64" "linux/ppc64le" ; do 28 | pathname="${IMGTAG////-}" 29 | echo "building $IMGTAG : $pathname" 30 | ./create_dev_image.sh "$IMGTAG" ${base} ${compiler} "$dev_deps" "$build_opts" ${branch_or_ref} curl-dev-${pathname}:${release_tag} 0 31 | ./create_base_image.sh "$IMGTAG" ${base} localhost/curl-dev-${pathname}:${release_tag} "$base_deps" curl-base-${pathname}:${release_tag} ${release_tag} 32 | buildah manifest add curl-base-multi:${release_tag} localhost/curl-base-${pathname}:${release_tag}; 33 | ./create_appliance_image.sh "$IMGTAG" localhost/curl-base-${pathname}:${release_tag} curl-${pathname}:${release_tag} ${release_tag} 34 | buildah manifest add curl-multi:${release_tag} localhost/curl-${pathname}:${release_tag}; 35 | done 36 | -------------------------------------------------------------------------------- /.github/workflows/checksrc.yml: -------------------------------------------------------------------------------- 1 | # Copyright (C) Daniel Stenberg, , et al. 2 | # 3 | # SPDX-License-Identifier: curl 4 | 5 | name: 'Source' 6 | 7 | 'on': 8 | push: 9 | branches: 10 | - main 11 | pull_request: 12 | branches: 13 | - main 14 | 15 | concurrency: 16 | group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} 17 | cancel-in-progress: true 18 | 19 | permissions: {} 20 | 21 | jobs: 22 | linters: 23 | name: 'spellcheck, linters' 24 | runs-on: ubuntu-latest 25 | steps: 26 | - name: 'install prereqs' 27 | run: /home/linuxbrew/.linuxbrew/bin/brew install actionlint zizmor typos-cli 28 | 29 | - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 30 | with: 31 | persist-credentials: false 32 | 33 | - name: 'zizmor GHA' 34 | env: 35 | GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' 36 | run: | 37 | eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" 38 | zizmor --pedantic .github/workflows/*.yml 39 | 40 | - name: 'actionlint' 41 | run: | 42 | eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" 43 | export SHELLCHECK_OPTS='--exclude=1090,1091 --enable=avoid-nullary-conditions,deprecate-which' 44 | actionlint --version 45 | actionlint .github/workflows/*.yml 46 | 47 | - name: 'typos' 48 | run: | 49 | eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" 50 | typos --version 51 | typos 52 | -------------------------------------------------------------------------------- /create_appliance_image.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | ############################################################### 3 | # 4 | # Copyright (C) 2023 James Fuller, , et al. 5 | # 6 | # SPDX-License-Identifier: curl-container 7 | ############################################################### 8 | # 9 | # ex. 10 | # > create_appliance_image.sh {arch} {dist} {base image} {resultant_image_name} {release_tag} 11 | # 12 | # 13 | 14 | echo "####### creating curl image." 15 | 16 | # get invoke opts 17 | platform=${1} 18 | dist=${2} 19 | image_name=${3} 20 | release_tag=${4} 21 | 22 | if [[ -n $platform ]]; then 23 | echo "creating with platform=${platform}" 24 | ctr=$(buildah --platform ${platform} from ${dist}) 25 | else 26 | echo "creating ..." 27 | ctr=$(buildah from ${dist}) 28 | fi 29 | 30 | 31 | # label/env 32 | buildah config --label maintainer="James Fuller " $ctr 33 | buildah config --label name="${image_name}" $ctr 34 | buildah config --label version="${release_tag}" $ctr 35 | buildah config --label docker.cmd="podman run -it quay.io/curl/${IMAGE_NAME_DEFAULT}:${release_tag}" $ctr 36 | 37 | # assumes base image has setup curl_user 38 | buildah config --user curl_user $ctr 39 | 40 | # label image 41 | buildah config --label org.opencontainers.image.source="https://github.com/curl/curl-container" $ctr 42 | buildah config --label org.opencontainers.image.description="minimal image for curl" $ctr 43 | buildah config --label org.opencontainers.image.licenses="MIT" $ctr 44 | 45 | # set working directory 46 | buildah config --workingdir /home/curl_user $ctr 47 | 48 | # commit image 49 | buildah commit $ctr "${image_name}" # --disable-compression false --squash --sign-by --tls-verify 50 | -------------------------------------------------------------------------------- /adrs/01-design.md: -------------------------------------------------------------------------------- 1 | # 1. CLI design 2 | 3 | Date: 2023-05-28 4 | 5 | ## Status 6 | 7 | Final 8 | 9 | ## Context 10 | 11 | Building official curl images was previously achieved via https://github.com/curl/curl-docker. This set of Makefile and 12 | scripts are adhoc, hard to maintain and makes it difficult to extend and/or create new image variations. 13 | 14 | Goals of a new approach should be: 15 | 16 | * clear demarcation between builder, base and appliance image 17 | * provision of multi arch for base and appliance images 18 | * enable signing/verifying of images 19 | * enable easily pushing to multiple registries 20 | * better testing 21 | * all builds and releases should be side effect of CI job 22 | 23 | One other goal is to ensure this infrastructure is not overly dependent on any specific features of any OCI implementation. 24 | 25 | ## Container Build Design 26 | 27 | Using [buildah](https://buildah.io/), we can create reusable and parameterised set of scripts building a hierarchy of 28 | container images. 29 | 30 | ```commandline 31 | +- dev image: instant development image. 32 | | +- base image: curl base image to be used in docker inheritance. 33 | | | +- curl image: curl 'appliance' image. 34 | ``` 35 | 36 | Where the dev image can be used as an 'instant' development environment for building curl. The base image is intended 37 | for inheritance and the curl image itself is an 'appliance' image. 38 | 39 | Publish to github registry: 40 | * curl-container/curl:master: The curl 'appliance' image. 41 | * curl-container/curl/curl-base:master: Base image for curl. 42 | * curl-container/curl/curl-dev:master: Development image for curl. 43 | * curl-container/curl/curl-multi:master: multi arch curl image. 44 | * curl-container/curl/curl-base-multi:master: multi arch curl-base image. 45 | 46 | With the official images distributed via [Quay.io](https://quay.io/repository/curl/curl) and [hub.docker.com](https://hub.docker.com/repository/docker/curlimages/curl): 47 | * curl:{release} = multi arch curl 'appliance' image 48 | * curl-base:{release} = multi arch curl-base image 49 | 50 | 51 | ## Decision(s) 52 | 53 | Create a new github repo - [curl/curl-container](https://github.com/curl/curl-container) and deprecate the old one ([curl/curl-docker](https://github.com/curl/curl-docker)). 54 | 55 | All commits to this new repo require raising of a PR, review and signed commits. 56 | 57 | Design and create container image build process using [buildah](https://buildah.io/). 58 | 59 | Add CHANGELOG.md and automated release process based on tag. 60 | 61 | Use [sigstore](https://www.sigstore.dev/) for signing and verifying of all images generated by this process 62 | 63 | Ensure both podman and docker work equally well. 64 | 65 | Enhance testing 66 | 67 | ## Consequences 68 | 69 | We could keep the status quo (eg. ugly bash/makefile) though it is hard to maintain... also current release process is completely 70 | opaque and non automated. 71 | 72 | We could have opted for other container build frameworks/language or other adjuncts (ex. [skopeo](https://github.com/containers/skopeo)) ... 73 | buildah seemed to have the right set of features and mature ... perhaps in the future we will have even more choices. 74 | 75 | Presumably we could have gone full 'code as infrastructure' and invoke buildah programmatically ... opted for shell scripts 76 | for simplicity. 77 | -------------------------------------------------------------------------------- /create_dev_image.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | ############################################################### 3 | # 4 | # Copyright (C) 2023 James Fuller, , et al. 5 | # 6 | # SPDX-License-Identifier: curl-container 7 | ############################################################### 8 | # 9 | # Create a dev image 10 | # ex. 11 | # > create_dev_image.sh {arch} {base image} {compiler} {deps} {build_opts} {branch or tag} {resultant_image_name} {run_tests} 12 | # 13 | # 14 | 15 | echo "####### creating curl dev image." 16 | 17 | # get invoke opts 18 | platform=${1} 19 | dist=${2} 20 | compiler_deps=${3} 21 | deps=${4} 22 | build_opts=${5} 23 | branch_or_tag=${6} 24 | image_name=${7} 25 | run_tests=${8} 26 | 27 | # set base and platform 28 | if [[ -n $platform ]]; then 29 | echo "creating with platform=${platform}" 30 | bdr=$(buildah --platform ${platform} from ${dist}) 31 | else 32 | echo "creating ..." 33 | bdr=$(buildah from ${dist}) 34 | fi 35 | 36 | # label/env 37 | buildah config --label maintainer="James Fuller " $bdr 38 | buildah config --label name="${image_name}" $bdr 39 | 40 | # determine dist package manager 41 | if [[ "$dist" =~ .*"alpine".* ]]; then 42 | package_manage_update="apk upgrade" 43 | package_manage_add="apk add " 44 | fi 45 | if [[ "$dist" =~ .*"fedora".* ]]; then 46 | package_manage_update="dnf update upgrade" 47 | package_manage_add="dnf -y install" 48 | fi 49 | if [[ "$dist" =~ .*"debian".* ]]; then 50 | package_manage_update="apt-get update" 51 | package_manage_add="apt-get -y install " 52 | fi 53 | 54 | 55 | # install deps using specific dist package manager 56 | buildah run $bdr ${package_manage_update} 57 | buildah run $bdr ${package_manage_add} ${deps} 58 | 59 | # setup curl source derived from branch or tag 60 | echo "get curl source" 61 | buildah run $bdr mkdir /src 62 | if [ "${branch_or_tag:0:4}" = "curl" ]; then 63 | # its a tag, retrieve release source 64 | buildah run $bdr /usr/bin/curl -L -o curl.tar.gz "https://github.com/curl/curl/releases/download/${branch_or_tag}/curl-${release_tag}.tar.gz" 65 | buildah run $bdr tar -xvf curl.tar.gz 66 | buildah run $bdr rm curl.tar.gz 67 | buildah run $bdr mv curl-${release_tag} /src/curl-${release_tag} 68 | buildah config --workingdir /src/curl-${release_tag} $bdr 69 | else 70 | # its a branch, retrieve archive source 71 | buildah run $bdr /usr/bin/curl -L -o curl.tar.gz https://github.com/curl/curl/archive/refs/heads/${branch_or_tag}.tar.gz 72 | buildah run $bdr tar -xvf curl.tar.gz 73 | buildah run $bdr rm curl.tar.gz 74 | buildah run $bdr mv curl-${branch_or_tag} /src/curl-${branch_or_tag} 75 | buildah config --workingdir /src/curl-${branch_or_tag} $bdr 76 | fi 77 | 78 | # build curl 79 | buildah run $bdr autoreconf -fi 80 | buildah run $bdr ./configure --disable-dependency-tracking ${build_opts} 81 | buildah run $bdr make -j$(nproc) 82 | 83 | # run tests 84 | if [[ $run_tests -eq 1 ]]; then 85 | buildah run $bdr make test 86 | fi 87 | 88 | # install curl in /build 89 | buildah run $bdr make DESTDIR="/build/" install -j$(nproc) 90 | 91 | # label image 92 | buildah config --label org.opencontainers.image.source="https://github.com/curl/curl-container" $bdr 93 | buildah config --label org.opencontainers.image.description="minimal dev image for curl" $bdr 94 | buildah config --label org.opencontainers.image.licenses="MIT" $bdr 95 | 96 | # commit image 97 | buildah commit $bdr "${image_name}" # --disable-compression false --squash --sign-by --tls-verify 98 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 5 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 6 | 7 | ## Unreleased 8 | 9 | ## [8.17.0] - 2025-11-05 10 | ### Changed 11 | - bump to curl 8.17.0 12 | - bump to alpine 3.22.2 13 | 14 | ## [8.16.0] - 2025-09-12 15 | ### Changed 16 | - bump to curl 8.16.0 17 | 18 | ## [8.15.0] - 2025-07-16 19 | ### Changed 20 | - bump to curl 8.15.0 21 | - bump to alpine 3.22.1 22 | 23 | ## [8.14.1] - 2025-06-15 24 | ### Changed 25 | - bump to curl 8.14.1 26 | - bump to alpine 3.22.0 27 | 28 | ## [8.13.0] - 2025-04-05 29 | ### Changed 30 | - bump to curl 8.13.0 31 | - bump to alpine 3.21.3 32 | 33 | ## [8.12.1] - 2025-02-13 34 | ### Changed 35 | - bump to curl 8.12.1 36 | 37 | ## [8.12.0] - 2025-02-05 38 | ### Changed 39 | - bump to curl 8.12.0 40 | - bump to alpine 3.21.2 41 | 42 | ## [8.11.1] - 2024-12-11 43 | ### Changed 44 | - bump to curl 8.11.1 45 | - bump to alpine 3.21.0 46 | 47 | ## [8.11.0] - 2024-11-06 48 | ### Changed 49 | - bump to curl 8.11.0 50 | 51 | ## [8.10.1] - 2024-09-18 52 | ### Changed 53 | - bump to curl 8.10.1 54 | 55 | ## [8.10.0] - 2024-09-11 56 | ### Changed 57 | - bump to curl 8.10.0 58 | - bump to alpine 3.20.3 59 | 60 | ## [8.9.1] - 2024-07-30 61 | ### Changed 62 | - bump to curl 8.9.1 63 | 64 | ## [8.9.0] - 2024-07-24 65 | ### Changed 66 | - bump to curl 8.9.0 67 | - bump to alpine 3.20.2 68 | 69 | ## [8.8.0] - 2024-05-22 70 | ### Changed 71 | - bump to curl 8.8.0 72 | 73 | ## [8.7.1] - 2024-03-27 74 | ### Changed 75 | - bump to curl 8.7.1 76 | 77 | ## [8.6.0] - 2024-01-31 78 | ### Changed 79 | - bump to curl 8.6.0 80 | - bump to alpine 3.19.1 81 | 82 | ## [8.5.0-1] - 2023-01-19 83 | ### Changed 84 | - add libpsl 85 | - bump to alpine 3.19.0 86 | 87 | ## [8.5.0] - 2023-12-06 88 | ### Changed 89 | - bump to curl 8.5.0 90 | - bump to alpine 3.18.5 91 | 92 | ## [8.4.0] - 2023-10-11 93 | ### Changed 94 | - bump to curl 8.4.0 95 | - bump to alpine 3.18.4 96 | - build enabled --with-gssapi 97 | 98 | ## [8.3.1] - 2023-09-13 99 | ### Changed 100 | - bump to curl 8.3.0 101 | - bump to alpine 3.18.3 102 | 103 | ## [8.2.1] - 2023-07-26 104 | ### Changed 105 | - bump to curl 8.2.1 106 | 107 | ## [8.2.0] - 2023-07-19 108 | ### Changed 109 | - bump to curl 8.2.0 110 | - bump to alpine 3.18.2 111 | 112 | ## [8.1.2-5] - 2023-06-14 113 | ### Changed 114 | - added clamav and grype to security scan 115 | - added user working directory 116 | - skimmed apk cache 117 | - added back arches (arm64, etc) by fixing issue #3 118 | 119 | ## [8.1.2-4] - 2023-06-08 120 | ### Changed 121 | - fixed issue #12 by using oci format when pushing manifests V2s2 122 | 123 | ## [8.1.2-3] - 2023-06-08 124 | ### Changed 125 | - fixed issue #12 by using oci format when pushing manifests V2s1 126 | - fix entrypoint perms 127 | 128 | ## [8.1.2-2] - 2023-06-08 129 | ### Added 130 | - curl-dev-fedora:master 131 | - curl-dev-debian:master 132 | ### Changed 133 | - fixed issue #12 by using oci format when pushing manifests 134 | - reduce cron CI jobs to daily 135 | - temporarily remove arm64 arch from multiarch builds 136 | 137 | ## [8.1.2-1] - 2023-06-07 138 | ### Changed 139 | - fixed and enhanced CI jobs 140 | - fixed quay creds 141 | 142 | ## [8.1.2] - 2023-06-06 143 | ### Added 144 | - created [curl-container repo](https://github.com/curl/curl-container/pull/1) 145 | ### Changed 146 | - generate [curl:8.1.2 release](https://github.com/curl/curl/releases/tag/curl-8_1_2) images on [alpine 3.18.0](https://alpinelinux.org/posts/Alpine-3.18.0-released.html) 147 | -------------------------------------------------------------------------------- /.github/workflows/build_master_multi.yml: -------------------------------------------------------------------------------- 1 | name: build_master_multi_images 2 | 3 | 'on': 4 | schedule: 5 | - cron: '30 2 * * *' 6 | push: 7 | branches: 8 | - main 9 | 10 | concurrency: 11 | group: ${{ github.workflow }}-${{ github.sha }} 12 | cancel-in-progress: true 13 | 14 | permissions: {} 15 | 16 | jobs: 17 | build_multi_master: 18 | if: ${{ github.repository_owner == 'curl' || github.event_name != 'schedule' }} 19 | name: 'build_multi_master' 20 | runs-on: 'ubuntu-latest' 21 | permissions: 22 | packages: write # To create/update container on ghcr.io 23 | steps: 24 | - name: 'login ghcr.io' 25 | uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 26 | with: 27 | username: '${{ github.actor }}' 28 | password: '${{ secrets.GITHUB_TOKEN }}' 29 | registry: 'ghcr.io/${{ github.repository_owner }}' 30 | - name: 'login docker hub' 31 | env: 32 | DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}' 33 | DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}' 34 | run: | 35 | echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io 36 | echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin 37 | - name: 'login quay.io' 38 | env: 39 | QUAY_USER: '${{ secrets.QUAY_USER }}' 40 | QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}' 41 | run: | 42 | echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io 43 | echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io 44 | - name: 'install dev deps' 45 | run: | 46 | sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list 47 | sudo apt-get -o Dpkg::Use-Pty=0 update 48 | sudo rm -f /var/lib/man-db/auto-update 49 | sudo apt-get -o Dpkg::Use-Pty=0 install -y \ 50 | qemu-user-static buildah less git make podman clamav clamav-freshclam 51 | - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 52 | with: 53 | persist-credentials: false 54 | ref: 'main' 55 | - name: 'build multi image' 56 | run: buildah unshare make branch_or_ref=master release_tag=master multibuild 57 | - name: 'test image' 58 | run: buildah unshare make dist_name=localhost/curl-multi release_tag=master test 59 | - name: 'install scan prereqs' 60 | run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy 61 | - name: 'security scan image' 62 | run: | 63 | eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" 64 | make image_name=localhost/curl-multi:master scan 65 | - name: 'push multi images to github registry' 66 | run: | 67 | buildah manifest push --all --format v2s2 localhost/curl-base-multi:master "docker://ghcr.io/curl/curl-container/curl-base-multi:master" 68 | buildah manifest push --all --format v2s2 localhost/curl-multi:master "docker://ghcr.io/curl/curl-container/curl-multi:master" 69 | - name: 'install Cosign' 70 | uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 71 | - name: 'sign image with a key' 72 | env: 73 | COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}' 74 | COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' 75 | run: | 76 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-multi:master 77 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-base-multi:master 78 | - name: 'verify image with public key' 79 | run: | 80 | cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:master 81 | cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base-multi:master 82 | -------------------------------------------------------------------------------- /create_base_image.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | ############################################################### 3 | # 4 | # Copyright (C) 2023 James Fuller, , et al. 5 | # 6 | # SPDX-License-Identifier: curl-container 7 | ############################################################### 8 | # 9 | # 10 | # base images for reuse 11 | # 12 | # 13 | # 14 | # ex. 15 | # > create_base_image.sh {arch} {dist} {builder image} {deps} {resultant_image_name} {release_tag} 16 | # 17 | # 18 | echo "####### creating curl base image." 19 | 20 | # set default (will rarely change) 21 | SO_NAME="libcurl.so.4.8.0" 22 | 23 | # get invoke opts 24 | platform=${1} 25 | dist=${2} 26 | builder_dist=${3} 27 | deps=${4} 28 | image_name=${5} 29 | release_tag=${6} 30 | 31 | # set base and platform 32 | if [[ -n $platform ]]; then 33 | echo "creating with platform=${platform}" 34 | ctr=$(buildah --platform ${platform} from ${dist}) 35 | else 36 | echo "creating ..." 37 | ctr=$(buildah from ${dist}) 38 | fi 39 | ctrmnt=$(buildah mount $ctr) 40 | 41 | # label/env 42 | buildah config --label maintainer="James Fuller " $ctr 43 | buildah config --label name="${image_name}" $ctr 44 | buildah config --label version="${release_tag}" $ctr 45 | buildah config --label docker.cmd="podman run -it quay.io/curl/${IMAGE_NAME_DEFAULT}:${release_tag}" $ctr 46 | 47 | # determine dist package manager 48 | if [[ "$dist" =~ .*"alpine".* ]]; then 49 | package_manage_update="apk upgrade --no-cache" 50 | package_manage_add="apk add --no-cache " 51 | fi 52 | if [[ "$dist" =~ .*"fedora".* ]]; then 53 | package_manage_update="dnf update upgrade" 54 | package_manage_add="dnf add" 55 | fi 56 | if [[ "$dist" =~ .*"debian".* ]]; then 57 | package_manage_update="deb update upgrade" 58 | package_manage_add="deb add" 59 | fi 60 | 61 | # deps 62 | buildah run $ctr ${package_manage_update} 63 | buildah run $ctr ${package_manage_add} ${deps} 64 | 65 | # mount dev image containing build artifacts 66 | if [[ -n $platform ]]; then 67 | echo "creating with platform=${platform}" 68 | bdr=$(buildah --platform ${platform} from ${builder_dist}) 69 | else 70 | echo "creating ..." 71 | bdr=$(buildah from ${builder_dist}) 72 | fi 73 | bdrmnt=$(buildah mount $bdr) 74 | 75 | # copy build artifacts 76 | cp $bdrmnt/build/usr/local/bin/curl $ctrmnt/usr/bin/curl 77 | cp -r $bdrmnt/build/usr/local/include/curl $ctrmnt/usr/include/curl 78 | cp -r $bdrmnt/build/usr/local/lib/* $ctrmnt/usr/lib/. 79 | 80 | # link 81 | buildah run $ctr rm /usr/lib/libcurl.so.4 /usr/lib/libcurl.so 82 | buildah run $ctr ln -s /usr/lib/${SO_NAME} /usr/lib/libcurl.so.4 83 | buildah run $ctr ln -s /usr/lib/libcurl.so.4 /usr/lib/libcurl.so 84 | 85 | # set ca bundle 86 | buildah run $ctr curl https://curl.se/ca/cacert.pem -L -o /cacert.pem 87 | buildah config --env CURL_CA_BUNDLE="/cacert.pem" $ctr 88 | 89 | # setup curl_group and curl_user though it is not used directly in this image 90 | buildah run $ctr addgroup -S curl_group 91 | buildah run $ctr adduser -S curl_user -G curl_group 92 | 93 | # set entrypoint 94 | buildah config --cmd curl $ctr 95 | buildah copy --chmod 755 --chown curl_user:curl_group $ctr etc/entrypoint.sh /entrypoint.sh 96 | #buildah run $ctr run chgrp -R 0 /entrypoint.sh 97 | #buildah run $ctr run chmod -R g+rwX /entrypoint.sh 98 | 99 | buildah config --entrypoint '["/entrypoint.sh"]' $ctr 100 | 101 | # label image 102 | buildah config --label org.opencontainers.image.source="https://github.com/curl/curl-container" $ctr 103 | buildah config --label org.opencontainers.image.description="minimal base image for curl" $ctr 104 | buildah config --label org.opencontainers.image.licenses="MIT" $ctr 105 | 106 | # set working directory 107 | buildah config --workingdir /home/curl_user $ctr 108 | 109 | # commit image 110 | buildah commit $ctr "${image_name}" # --disable-compression false --squash --sign-by --tls-verify 111 | -------------------------------------------------------------------------------- /.github/workflows/build_master.yml: -------------------------------------------------------------------------------- 1 | name: build_master_images 2 | 3 | 'on': 4 | schedule: 5 | - cron: '30 2 * * *' 6 | push: 7 | branches: 8 | - main 9 | 10 | concurrency: 11 | group: ${{ github.workflow }}-${{ github.sha }} 12 | cancel-in-progress: true 13 | 14 | permissions: {} 15 | 16 | jobs: 17 | build_master: 18 | if: ${{ github.repository_owner == 'curl' || github.event_name != 'schedule' }} 19 | name: 'build_master' 20 | runs-on: 'ubuntu-latest' 21 | permissions: 22 | packages: write # To create/update container on ghcr.io 23 | steps: 24 | - name: 'login ghcr.io' 25 | uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 26 | with: 27 | username: '${{ github.actor }}' 28 | password: '${{ secrets.GITHUB_TOKEN }}' 29 | registry: 'ghcr.io/${{ github.repository_owner }}' 30 | - name: 'login docker hub' 31 | env: 32 | DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}' 33 | DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}' 34 | run: | 35 | echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io 36 | echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin 37 | - name: 'login quay.io' 38 | env: 39 | QUAY_USER: '${{ secrets.QUAY_USER }}' 40 | QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}' 41 | run: | 42 | echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io 43 | echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io 44 | - name: 'install dev deps' 45 | run: | 46 | sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list 47 | sudo apt-get -o Dpkg::Use-Pty=0 update 48 | sudo rm -f /var/lib/man-db/auto-update 49 | sudo apt-get -o Dpkg::Use-Pty=0 install -y \ 50 | qemu-user-static buildah less git make podman clamav clamav-freshclam 51 | - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 52 | with: 53 | persist-credentials: false 54 | ref: 'main' 55 | - name: 'build master images' 56 | run: buildah unshare make branch_or_ref=master release_tag=master build_ref_images 57 | - name: 'test image' 58 | run: buildah unshare make dist_name=localhost/curl release_tag=master test 59 | - name: 'install scan prereqs' 60 | run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy 61 | - name: 'security scan image' 62 | run: | 63 | eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" 64 | make image_name=localhost/curl:master scan 65 | - name: 'push images to github registry' 66 | run: | 67 | buildah push curl-dev:master "docker://ghcr.io/curl/curl-container/curl-dev:master" 68 | buildah push curl-base:master "docker://ghcr.io/curl/curl-container/curl-base:master" 69 | buildah push curl:master "docker://ghcr.io/curl/curl-container/curl:master" 70 | - name: 'install Cosign' 71 | uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 72 | - name: 'sign image with a key' 73 | env: 74 | COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}' 75 | COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' 76 | run: | 77 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-dev:master 78 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-base:master 79 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl:master 80 | - name: 'verify image with public key' 81 | run: | 82 | cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev:master 83 | cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base:master 84 | cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl:master 85 | -------------------------------------------------------------------------------- /.github/workflows/build_ci_multi.yml: -------------------------------------------------------------------------------- 1 | name: build_ci_multi_images 2 | 3 | 'on': 4 | pull_request: 5 | types: [opened, synchronize, reopened, labeled, unlabeled] 6 | branches: 7 | - main 8 | 9 | concurrency: 10 | group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} 11 | cancel-in-progress: true 12 | 13 | permissions: {} 14 | 15 | jobs: 16 | verify_secrets_ghcr: 17 | name: 'Verify credentials' 18 | runs-on: 'ubuntu-latest' 19 | steps: 20 | # upside: it logs out and aims to delete creds ~/.docker/config.json 21 | # downside: extra dependency, uses -p instead of --password-stdin 22 | - name: 'login ghcr.io (actor, via action)' 23 | uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 24 | with: 25 | username: '${{ github.actor }}' 26 | password: '${{ secrets.GITHUB_TOKEN }}' 27 | registry: 'ghcr.io/${{ github.repository_owner }}' 28 | 29 | - name: 'login ghcr.io (actor, direct)' 30 | env: 31 | REGISTRY_USER: '${{ github.actor }}' 32 | REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}' 33 | run: | 34 | podman --version 35 | echo "${REGISTRY_TOKEN}" | podman login -u "${REGISTRY_USER}" --password-stdin "ghcr.io/${GITHUB_REPOSITORY_OWNER}" 36 | docker --version 37 | echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin "ghcr.io/${GITHUB_REPOSITORY_OWNER}" 38 | 39 | - name: 'login ghcr.io (repo owner, direct)' 40 | env: 41 | REGISTRY_USER: '${{ github.repository_owner }}' 42 | REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}' 43 | IMAGE_REGISTRY: 'ghcr.io/${{ github.repository_owner }}' 44 | run: | 45 | podman --version 46 | echo "${REGISTRY_TOKEN}" | podman login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}" 47 | docker --version 48 | echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}" 49 | 50 | verify_secrets_registries: 51 | name: 'Verify credentials (docker hub, quay)' 52 | runs-on: 'ubuntu-latest' 53 | if: ${{ github.secret_source == 'Actions' }} 54 | steps: 55 | - name: 'login docker hub' 56 | env: 57 | DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}' 58 | DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}' 59 | run: | 60 | echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io 61 | echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin 62 | 63 | - name: 'login quay.io' 64 | env: 65 | QUAY_USER: '${{ secrets.QUAY_USER }}' 66 | QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}' 67 | run: | 68 | echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io 69 | echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io 70 | 71 | build_multi_ci: 72 | name: 'build_multi_ci' 73 | runs-on: 'ubuntu-latest' 74 | steps: 75 | - name: 'install dev deps' 76 | run: | 77 | sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list 78 | sudo apt-get -o Dpkg::Use-Pty=0 update 79 | sudo rm -f /var/lib/man-db/auto-update 80 | sudo apt-get -o Dpkg::Use-Pty=0 install -y \ 81 | qemu-user-static buildah less git make podman clamav clamav-freshclam 82 | 83 | - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 84 | with: 85 | persist-credentials: false 86 | - name: 'build multi image' 87 | run: buildah unshare make branch_or_ref=master release_tag=master multibuild 88 | - name: 'test image' 89 | run: buildah unshare make dist_name=localhost/curl-multi release_tag=master test 90 | - name: 'install scan prereqs' 91 | run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy 92 | - name: 'security scan image' 93 | run: | 94 | eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" 95 | make image_name=localhost/curl-multi:master scan 96 | -------------------------------------------------------------------------------- /.github/workflows/build_master_dev.yml: -------------------------------------------------------------------------------- 1 | name: build_dev_master_images 2 | 3 | 'on': 4 | schedule: 5 | # Runs every day 6 | - cron: '30 2 * * *' 7 | push: 8 | branches: 9 | - main 10 | 11 | concurrency: 12 | group: ${{ github.workflow }}-${{ github.sha }} 13 | cancel-in-progress: true 14 | 15 | permissions: {} 16 | 17 | jobs: 18 | build_dev_master: 19 | if: ${{ github.repository_owner == 'curl' || github.event_name != 'schedule' }} 20 | name: 'build_dev_master' 21 | runs-on: 'ubuntu-latest' 22 | permissions: 23 | packages: write # To create/update container on ghcr.io 24 | steps: 25 | - name: 'login ghcr.io' 26 | uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 27 | with: 28 | username: '${{ github.actor }}' 29 | password: '${{ secrets.GITHUB_TOKEN }}' 30 | registry: 'ghcr.io/${{ github.repository_owner }}' 31 | - name: 'login docker hub' 32 | env: 33 | DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}' 34 | DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}' 35 | run: | 36 | echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io 37 | echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin 38 | - name: 'login quay.io' 39 | env: 40 | QUAY_USER: '${{ secrets.QUAY_USER }}' 41 | QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}' 42 | run: | 43 | echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io 44 | echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io 45 | - name: 'install dev deps' 46 | run: | 47 | sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list 48 | sudo apt-get -o Dpkg::Use-Pty=0 update 49 | sudo rm -f /var/lib/man-db/auto-update 50 | sudo apt-get -o Dpkg::Use-Pty=0 install -y \ 51 | qemu-user-static buildah less git make podman clamav clamav-freshclam 52 | - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 53 | with: 54 | persist-credentials: false 55 | ref: 'main' 56 | - name: 'build debian dev image' 57 | run: buildah unshare make branch_or_ref=master release_tag=master build_debian 58 | - name: 'install scan prereqs' 59 | run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy 60 | - name: 'security scan image' 61 | run: | 62 | eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" 63 | make image_name=localhost/curl-dev-debian:master scan 64 | - name: 'push images to github registry' 65 | run: | 66 | buildah push curl-dev-debian:master "docker://ghcr.io/curl/curl-container/curl-dev-debian:master" 67 | - name: 'install Cosign' 68 | uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 69 | - name: 'sign image with a key' 70 | env: 71 | COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} 72 | COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' 73 | run: | 74 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-dev-debian:master 75 | - name: 'verify image with public key' 76 | run: | 77 | cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-debian:master 78 | - name: 'build fedora dev image' 79 | run: buildah unshare make branch_or_ref=master release_tag=master build_fedora 80 | - name: 'security scan image' 81 | run: | 82 | eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" 83 | make image_name=localhost/curl-dev-fedora:master scan 84 | - name: 'push images to github registry' 85 | run: | 86 | buildah push curl-dev-fedora:master "docker://ghcr.io/curl/curl-container/curl-dev-fedora:master" 87 | - name: 'sign image with a key' 88 | env: 89 | COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}' 90 | COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' 91 | run: | 92 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-dev-fedora:master 93 | - name: 'verify image with public key' 94 | run: | 95 | cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-fedora:master 96 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Curl Container 2 | 3 | [![build_master_multi_images](https://github.com/curl/curl-container/actions/workflows/build_master_multi.yml/badge.svg)](https://github.com/curl/curl-container/actions/workflows/build_master_multi.yml) 4 | [![build_latest_release_multi_images](https://github.com/curl/curl-container/actions/workflows/build_latest_release_multi.yml/badge.svg)](https://github.com/curl/curl-container/actions/workflows/build_latest_release_multi.yml) 5 | 6 | This repository contains infrastructure/code that generates, tests and distributes the Official curl docker images 7 | available from the following registries: 8 | * [quay.io](https://quay.io/curl/curl): curl images distributed by Quay.io 9 | * [docker.io](https://hub.docker.com/r/curlimages/curl): curl images distributed by docker.io 10 | * [github packages](https://github.com/orgs/curl/packages): development curl images 11 | 12 | To pull an image: 13 | ``` 14 | > podman pull quay.io/curl/curl:latest 15 | ``` 16 | To run an image: 17 | ``` 18 | > podman run -it quay.io/curl/curl:latest -V 19 | ``` 20 | 21 | To use base image: 22 | ``` 23 | from quay.io/curl/curl-base:latest 24 | RUN apk add jq 25 | ``` 26 | 27 | ## Known limitations 28 | 29 | - **IPv6 is supported**, however Docker/Podman do not support out by default. 30 | IPv6 must be enabled on network-level within Docker/Podman. 31 | 32 | ## How to verify images 33 | 34 | To view curl image signature use [sigstore](https://sigstore.dev) `cosign tree`: 35 | ```commandline 36 | > cosign tree ghcr.io/curl/curl-container/curl:master 37 | ``` 38 | Images are verified with this [public key](https://github.com/curl/curl-container/blob/main/cosign.pub): 39 | ```commandline 40 | -----BEGIN PUBLIC KEY----- 41 | MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwFTRXl79xRiAFa5ZX4aZ7Vkdqmji 42 | 5WY0zqc3bd6B08CsNftlYsu2gAqdWm0IlzoQpi2Zi5C437RTg/DgLQ6Bkg== 43 | -----END PUBLIC KEY----- 44 | ``` 45 | Verify image using [cosign.pub](cosign.pub) public key using [sigstore](https://sigstore.dev) `cosign verify`: 46 | ``` 47 | > cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl:master 48 | ``` 49 | 50 | ## Contact 51 | 52 | If you have problems, questions, ideas or suggestions, please [raise an issue](https://github.com/curl/curl-container/issues) or contact [curl-container team](curl-container@curl.se) 53 | or [Jim Fuller](jim.fuller@webcomposite.com) directly. 54 | 55 | ## Development curl images 56 | 57 | The following images are available via [github packages](https://github.com/orgs/curl/packages). 58 | 59 | Master branch built regularly: 60 | * **curl-dev:master** - curl-dev **master** branch 61 | * **curl-base:master** - curl-base **master** branch 62 | * **curl:master** - curl **master** branch 63 | * **curl-multi:master** - curl multiarch **master** branch 64 | * **curl-base-multi:master** - curl-base multiarch **master** branch 65 | 66 | A set of special case images built regularly: 67 | * **curl-exp:master** - curl **master** branch built enabling experimental features 68 | 69 | Platform specific dev images built daily: 70 | * **curl-dev:master** - alpine based development environment 71 | * **curl-dev-debian:master** - debian based development environment 72 | * **curl-dev-fedora:master** - fedora based development environment 73 | 74 | To use any of these development images; 75 | ``` 76 | > podman run -it -v /Users/exampleuser/src/curl:/src/curl ghcr.io/curl/curl-container/curl-dev-debian:master zsh 77 | > ./buildconf 78 | > ./configure 79 | > make 80 | ``` 81 | 82 | **Note**- dev images are not specifically scanned for vulnerabilities and we currently _pin_ to latest which 83 | always has vulns ... **use at your own risk**. Perhaps we could consider _pinning_ to a later 'vintage'. 84 | 85 | ## Dependencies 86 | 87 | Either of the following are required to use images: 88 | * [podman](https://podman.io/getting-started/) 89 | * [docker](https://docs.docker.com/get-docker/) 90 | 91 | The following are required to build or release images: 92 | * [buildah](https://buildah.io/): used for composing dev/build images 93 | * [qemu-user-static](https://github.com/multiarch/qemu-user-static): used for building multiarch images 94 | 95 | ## Release 96 | 97 | Curl images roughly match curl own release schedule, though we may release multiple versions 98 | of the same curl version. In that instance we append a number (ex. 8.1.2-1) though do not rev 99 | the version number used in registries. 100 | 101 | The release process is as follows: 102 | 103 | * create new branch (ex. v8.1.2) 104 | * update [VERSION](https://github.com/curl/curl-container/blob/main/VERSION) to match curl version 105 | * update [CHANGELOG.md](https://github.com/curl/curl-container/blob/main/CHANGELOG.md) 106 | * raise prep PR, review and merge 107 | * create [new release](https://github.com/curl/curl-container/releases/new) with new tag ( ex. 8.1.2 ) based on previously created branch 108 | * new tag will trigger CI for publishing to quay/docker 109 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .DEFAULT_GOAL := all 2 | 3 | container_ids=`buildah ls --format "{{.ContainerID}}"` 4 | 5 | # default settings for official curl images 6 | debian_base=docker.io/debian 7 | fedora_base=docker.io/fedora 8 | base=docker.io/alpine:3.22.2 9 | arch="" 10 | compiler="gcc" 11 | build_opts=" --enable-static --disable-ldap --enable-ipv6 --enable-unix-sockets -with-ssl --with-libssh2 --with-nghttp2=/usr --with-gssapi" 12 | dev_deps="git zsh libssh2 libssh2-dev libssh2-static autoconf automake build-base groff openssl curl-dev python3 python3-dev libtool curl stunnel perl nghttp2 brotli brotli-dev krb5-dev libpsl-dev zstd" 13 | base_deps="brotli brotli-dev libssh2 nghttp2-dev libidn2 krb5 libpsl zstd" 14 | 15 | ############################################## 16 | # debian dev image 17 | ############################################## 18 | # 19 | # > make branch_or_ref=master release_tag=master build_debian 20 | # 21 | build_debian: 22 | ./create_dev_image.sh ${arch} ${debian_base} ${compiler} "git zsh libssh2-1 libssh2-1-dev autoconf automake build-essential groff libcurl4-openssl-dev python3 python3-dev libtool curl stunnel perl nghttp2 brotli libssl-dev libpsl-dev" " --enable-ipv6 --enable-unix-sockets -with-ssl --with-libssh2 --with-nghttp2=/usr" ${branch_or_ref} curl-dev-debian:${release_tag} 23 | 24 | ############################################## 25 | # fedora dev image 26 | ############################################## 27 | # 28 | # > make branch_or_ref=master release_tag=master build_fedora 29 | # 30 | build_fedora: 31 | ./create_dev_image.sh ${arch} ${fedora_base} ${compiler} "gcc cargo zsh git openssl-devel python3 python3-devel python3-pip libtool curl stunnel perl nghttp2 brotli libpsl-devel" " --enable-ipv6 --enable-unix-sockets -with-ssl --with-libssh2 --with-nghttp2=/usr" ${branch_or_ref} curl-dev-fedora:${release_tag} 32 | 33 | ############################################## 34 | # build_alpine dev, base and appliance image 35 | ############################################## 36 | # 37 | # > make branch_or_ref=master release_tag=master run_tests=1 build_arm64 38 | # 39 | build_arm64: 40 | ./create_dev_image.sh "arm64" ${base} ${compiler} ${dev_deps} ${build_opts} ${branch_or_ref} curl-dev-linux-arm64:${release_tag} ${run_tests} 41 | # ./create_base_image.sh "linux/arm64" ${base} localhost/curl-dev-linux-arm64:${release_tag} ${base_deps} curl-base-linux-arm64:${release_tag} ${release_tag} 42 | # ./create_appliance_image.sh "linux/arm64" localhost/curl-base-linux-arm64:${release_tag} curl-linux-arm64:${release_tag} ${release_tag} 43 | 44 | ############################################## 45 | # build_alpine dev, base and appliance image 46 | ############################################## 47 | # 48 | # > make branch_or_ref=master release_tag=master run_tests=1 build_alpine 49 | # 50 | build_alpine: 51 | ./create_dev_image.sh ${arch} ${base} ${compiler} ${dev_deps} ${build_opts} ${branch_or_ref} curl-dev:${release_tag} ${run_tests} 52 | ./create_base_image.sh ${arch} ${base} localhost/curl-dev:${release_tag} ${base_deps} curl-base:${release_tag} ${release_tag} 53 | ./create_appliance_image.sh ${arch} localhost/curl-base:${release_tag} curl:${release_tag} ${release_tag} 54 | 55 | build_ref_images: build_alpine 56 | 57 | ############################# 58 | # test 59 | ############################# 60 | # 61 | # > make dist_name=curl branch_or_ref=master test 62 | # 63 | test: 64 | tests/test_image.sh ${dist_name} ${release_tag} 65 | 66 | 67 | ############################# 68 | # feature test 69 | ############################# 70 | # 71 | # Runs nascent behave feature tests 72 | # 73 | # > make feature-test 74 | # 75 | feature-test: 76 | behave tests 77 | 78 | ############################# 79 | # scan 80 | ############################# 81 | # 82 | # Runs clamav, grype and trivy against image 83 | # 84 | # > make image_name=localhost/curl:master scan 85 | # 86 | # Requires: grype trivy 87 | # 88 | # One way to install them: 89 | # curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin 90 | # curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo bash -s -- -b /usr/local/bin v0.32.0 91 | # 92 | scan: 93 | podman save -o image.tar ${image_name} 94 | # Run clamav on image.tar 95 | # freshclam 96 | clamscan image.tar 97 | # run grype on image.tar 98 | grype --version 99 | grype image.tar 100 | # run trivy on image.tar 101 | systemctl --user enable --now podman.socket | true 102 | trivy --version 103 | trivy image --input image.tar 104 | rm image.tar 105 | 106 | 107 | ############################# 108 | # multibuild 109 | ############################# 110 | # 111 | # 112 | # > make branch_or_ref=master release_tag=master multibuild 113 | # 114 | multibuild: 115 | ./create_multi.sh ${base} ${compiler} ${dev_deps} ${base_deps} ${build_opts} ${branch_or_ref} ${release_tag} 116 | 117 | ############################# 118 | # utilities 119 | ############################# 120 | # 121 | # 122 | clean: 123 | buildah rm $(container_ids) 124 | dev: 125 | podman-compose -f dev-compose.yml up 126 | -------------------------------------------------------------------------------- /.github/workflows/build_latest_release_multi.yml: -------------------------------------------------------------------------------- 1 | name: build_latest_release_multi_images 2 | 3 | 'on': 4 | push: 5 | tags: 6 | - '*' 7 | 8 | concurrency: 9 | group: ${{ github.workflow }}-${{ github.sha }} 10 | cancel-in-progress: true 11 | 12 | permissions: {} 13 | 14 | jobs: 15 | build_multi_latest_release_tag: 16 | name: 'build_multi_latest_release_tag' 17 | runs-on: 'ubuntu-latest' 18 | permissions: 19 | packages: write # To create/update container on ghcr.io 20 | steps: 21 | - name: 'login ghcr.io' 22 | uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 23 | with: 24 | username: '${{ github.actor }}' 25 | password: '${{ secrets.GITHUB_TOKEN }}' 26 | registry: 'ghcr.io/${{ github.repository_owner }}' 27 | - name: 'login docker hub' 28 | env: 29 | DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}' 30 | DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}' 31 | run: | 32 | echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io 33 | echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin 34 | - name: 'login quay.io' 35 | env: 36 | QUAY_USER: '${{ secrets.QUAY_USER }}' 37 | QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}' 38 | run: | 39 | echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io 40 | echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io 41 | - name: 'install dev deps' 42 | run: | 43 | sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list 44 | sudo apt-get -o Dpkg::Use-Pty=0 update 45 | sudo rm -f /var/lib/man-db/auto-update 46 | sudo apt-get -o Dpkg::Use-Pty=0 install -y \ 47 | qemu-user-static buildah less git make podman clamav clamav-freshclam 48 | - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 49 | with: 50 | persist-credentials: false 51 | tag_name: ${{ github.ref }} 52 | - name: 'set env vars' 53 | run: | 54 | release_tag_redirect=$(curl -s https://github.com/curl/curl/releases/latest -w'%{redirect_url}\n' -o /dev/null) 55 | latest_release_ref=$(basename "${release_tag_redirect}") 56 | echo "TAG_REF=$latest_release_ref" >> "$GITHUB_ENV" 57 | rel=${latest_release_ref:5} 58 | release_image_tag="${rel//_/.}" 59 | echo "REL=$release_image_tag" >> "$GITHUB_ENV" 60 | - name: 'build multi image' 61 | run: buildah unshare make branch_or_ref="$TAG_REF" release_tag="$REL" multibuild 62 | - name: 'test image' 63 | run: buildah unshare make dist_name=localhost/curl-multi release_tag="$REL" test 64 | - name: 'install scan prereqs' 65 | run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy 66 | - name: 'security scan image' 67 | run: | 68 | eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" 69 | make image_name=localhost/curl-multi:"$REL" scan 70 | - name: 'push images to github registry' 71 | run: | 72 | buildah manifest push --format v2s2 --all curl-multi:"$REL" docker://ghcr.io/curl/curl-container/curl-multi:"$REL" 73 | buildah manifest push --format v2s2 --all curl-base-multi:"$REL" docker://ghcr.io/curl/curl-container/curl-base-multi:"$REL" 74 | - name: 'install Cosign' 75 | uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 76 | - name: 'sign images with sigstore key' 77 | env: 78 | COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}' 79 | COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' 80 | run: | 81 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-multi:"$REL" 82 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin ghcr.io/curl/curl-container/curl-base-multi:"$REL" 83 | - name: 'verify image with public key' 84 | run: | 85 | cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:"$REL" 86 | cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base-multi:"$REL" 87 | - name: 'push release to docker hub' 88 | run: | 89 | buildah manifest push --format v2s2 --all localhost/curl-multi:"$REL" docker://docker.io/curlimages/curl:"$REL" 90 | buildah manifest push --format v2s2 --all localhost/curl-multi:"$REL" docker://docker.io/curlimages/curl:latest 91 | buildah manifest push --format v2s2 --all localhost/curl-base-multi:"$REL" docker://docker.io/curlimages/curl-base:"$REL" 92 | buildah manifest push --format v2s2 --all localhost/curl-base-multi:"$REL" docker://docker.io/curlimages/curl-base:latest 93 | - name: 'sign images with a sigstore key' 94 | env: 95 | COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}' 96 | COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' 97 | run: | 98 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin docker.io/curlimages/curl:"$REL" 99 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin docker.io/curlimages/curl:latest 100 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin docker.io/curlimages/curl-base:"$REL" 101 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin docker.io/curlimages/curl-base:latest 102 | - name: 'verify image with public key' 103 | run: | 104 | cosign verify --key cosign.pub docker.io/curlimages/curl:"$REL" 105 | cosign verify --key cosign.pub docker.io/curlimages/curl:latest 106 | cosign verify --key cosign.pub docker.io/curlimages/curl-base:"$REL" 107 | cosign verify --key cosign.pub docker.io/curlimages/curl-base:latest 108 | - name: 'push release to quay.io' 109 | run: | 110 | buildah manifest push --format v2s2 --all localhost/curl-multi:"$REL" docker://quay.io/curl/curl:"$REL" 111 | buildah manifest push --format v2s2 --all localhost/curl-multi:"$REL" docker://quay.io/curl/curl:latest 112 | buildah manifest push --format v2s2 --all localhost/curl-base-multi:"$REL" docker://quay.io/curl/curl-base:"$REL" 113 | buildah manifest push --format v2s2 --all localhost/curl-base-multi:"$REL" docker://quay.io/curl/curl-base:latest 114 | - name: 'sign images with a sigstore key' 115 | env: 116 | COSIGN_PASSWORD: '${{ secrets.COSIGN_PASSWORD }}' 117 | COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' 118 | run: | 119 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin quay.io/curl/curl:"$REL" 120 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin quay.io/curl/curl:latest 121 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin quay.io/curl/curl-base:"$REL" 122 | echo "${COSIGN_PRIVATE_KEY}" | cosign sign -y --key /dev/stdin quay.io/curl/curl-base:latest 123 | - name: 'verify image with public key' 124 | run: | 125 | cosign verify --key cosign.pub quay.io/curl/curl:"$REL" 126 | cosign verify --key cosign.pub quay.io/curl/curl:latest 127 | cosign verify --key cosign.pub quay.io/curl/curl-base:"$REL" 128 | cosign verify --key cosign.pub quay.io/curl/curl-base:latest 129 | --------------------------------------------------------------------------------