├── images
    ├── alpine-base
    │   ├── examples
    │   │   └── go
    │   │   │   ├── go.mod
    │   │   │   ├── hello.go
    │   │   │   └── Dockerfile
    │   ├── configs
    │   │   └── latest.apko.yaml
    │   ├── tests
    │   │   ├── 01-echo.sh
    │   │   └── main.tf
    │   ├── README.md
    │   └── main.tf
    ├── static
    │   ├── examples
    │   │   ├── main.go
    │   │   ├── hello.c
    │   │   ├── Dockerfile.c
    │   │   ├── Dockerfile.golang
    │   │   └── Dockerfile.rust
    │   ├── configs
    │   │   └── alpine.apko.yaml
    │   ├── tests
    │   │   ├── main.tf
    │   │   └── 01-multi-dockerfile-build.sh
    │   ├── alpine.tf
    │   └── main.tf
    ├── musl-dynamic
    │   ├── examples
    │   │   ├── hello.c
    │   │   └── Dockerfile.c
    │   ├── configs
    │   │   └── latest.apko.yaml
    │   ├── README.md
    │   ├── tests
    │   │   ├── main.tf
    │   │   └── 01-dockerfile-c-build.sh
    │   └── main.tf
    ├── gcc-musl
    │   ├── examples
    │   │   └── hello
    │   │   │   └── main.c
    │   ├── tests
    │   │   ├── 01-version.sh
    │   │   └── main.tf
    │   ├── configs
    │   │   └── latest.apko.yaml
    │   ├── DEVELOPMENT.md
    │   ├── main.tf
    │   └── README.md
    ├── sdk
    │   ├── mount
    │   │   └── entrypoint.sh
    │   ├── tests
    │   │   ├── main.tf
    │   │   └── 01-has-all-tools.sh
    │   ├── main.tf
    │   ├── configs
    │   │   └── latest.apko.yaml
    │   └── README.md
    ├── apko
    │   ├── README.md
    │   └── main.tf
    ├── busybox
    │   ├── tests
    │   │   ├── main.tf
    │   │   └── runs.sh
    │   ├── alpine.tf
    │   ├── main.tf
    │   └── config
    │   │   └── alpine
    │   │       └── main.tf
    ├── spdx-tools
    │   ├── configs
    │   │   └── latest.apko.yaml
    │   └── main.tf
    └── git
    │   ├── tests
    │       ├── repo-clone.sh
    │       └── main.tf
    │   ├── alpine.tf
    │   ├── main.tf
    │   └── config
    │       └── main.tf
├── CODEOWNERS
├── .gitignore
├── .github
    ├── dependabot.yaml
    └── workflows
    │   ├── presubmit-build.yaml
    │   ├── release.yaml
    │   └── .build.yaml
├── tflib
    ├── version-tags
    │   └── main.tf
    └── publisher
    │   └── main.tf
├── README.md
├── main.tf
└── LICENSE


/images/alpine-base/examples/go/go.mod:
--------------------------------------------------------------------------------
1 | module example
2 | 
3 | go 1.18
4 | 


--------------------------------------------------------------------------------
/CODEOWNERS:
--------------------------------------------------------------------------------
1 | # Require review by repo owners of changes to CODEOWNERS
2 | CODEOWNERS @wolfi-dev/wolfi-owners
3 | 
4 | 


--------------------------------------------------------------------------------
/images/static/examples/main.go:
--------------------------------------------------------------------------------
1 | package main
2 | 
3 | import "fmt"
4 | 
5 | func main() {
6 | 	fmt.Println("Hello!")
7 | }
8 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | **/.terraform*
2 | **/terraform*
3 | **/melange.rsa*
4 | **/packages/
5 | **/*.tar
6 | **/*.cdx
7 | **/*.spdx.json
8 | 


--------------------------------------------------------------------------------
/images/static/examples/hello.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | 
3 | int main() { 
4 |     printf("Hello!\n"); 
5 |     return 0;
6 | }
7 | 


--------------------------------------------------------------------------------
/images/alpine-base/examples/go/hello.go:
--------------------------------------------------------------------------------
1 | package main
2 | 
3 | import "fmt"
4 | 
5 | func main() {
6 | 	fmt.Println("Hello!")
7 | }
8 | 


--------------------------------------------------------------------------------
/images/musl-dynamic/examples/hello.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | 
3 | int main() { 
4 |     printf("Hello!\n"); 
5 |     return 0;
6 | }
7 | 


--------------------------------------------------------------------------------
/images/gcc-musl/examples/hello/main.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | 
3 | int main() {
4 |     printf("Hello World!\n");
5 |     return 0;
6 | }
7 | 


--------------------------------------------------------------------------------
/images/sdk/mount/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -e
2 | printf "\nWelcome to the development environment!\n\n\n"
3 | export PS1="[sdk] ❯ "
4 | export GOPATH="/root/.cache/go"
5 | export CGO_ENABLED=0
6 | bash -i
7 | 


--------------------------------------------------------------------------------
/images/alpine-base/configs/latest.apko.yaml:
--------------------------------------------------------------------------------
1 | contents:
2 |   packages:
3 |     - alpine-baselayout-data
4 |     - alpine-release==3 # TODO(#33): unlock this
5 |     - apk-tools
6 |     - busybox
7 |     - libc-utils
8 | 


--------------------------------------------------------------------------------
/images/alpine-base/tests/01-echo.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | 
3 | set -o errexit -o nounset -o errtrace -o pipefail
4 | 
5 | IMAGE_NAME=${IMAGE_NAME:-"ghcr.io/wolfi-dev/alpine-base"}
6 | 
7 | docker run ${IMAGE_NAME} echo "hello"
8 | 


--------------------------------------------------------------------------------
/images/musl-dynamic/configs/latest.apko.yaml:
--------------------------------------------------------------------------------
1 | contents:
2 |   packages:
3 |     - alpine-baselayout-data
4 |     - alpine-release==3 # TODO(#33): unlock this
5 |     - ca-certificates-bundle
6 |     - musl==1 # TODO(#33): unlock this
7 | 


--------------------------------------------------------------------------------
/images/apko/README.md:
--------------------------------------------------------------------------------
 1 | # sdk
 2 | 
 3 | Development image for [apko](https://github.com/chainguard-dev/apko).
 4 | 
 5 | ## Get It!
 6 | 
 7 | The image is available on `ghcr.io`:
 8 | 
 9 | ```
10 | docker pull ghcr.io/wolfi-dev/apko:latest
11 | ```
12 | 


--------------------------------------------------------------------------------
/images/static/configs/alpine.apko.yaml:
--------------------------------------------------------------------------------
 1 | contents:
 2 |   packages:
 3 |     - tzdata
 4 | 
 5 | accounts:
 6 |   groups:
 7 |     - groupname: nonroot
 8 |       gid: 65532
 9 |   users:
10 |     - username: nonroot
11 |       uid: 65532
12 |       gid: 65532
13 |   run-as: 65532
14 | 


--------------------------------------------------------------------------------
/images/musl-dynamic/examples/Dockerfile.c:
--------------------------------------------------------------------------------
 1 | ARG BASE=ghcr.io/wolfi-dev/musl-dynamic
 2 | 
 3 | FROM ghcr.io/wolfi-dev/gcc-musl as build
 4 | 
 5 | COPY hello.c /work/hello.c
 6 | RUN cc hello.c -o hello
 7 | 
 8 | FROM $BASE
 9 | 
10 | COPY --from=build /work/hello /hello
11 | CMD ["/hello"]
12 | 


--------------------------------------------------------------------------------
/images/static/examples/Dockerfile.c:
--------------------------------------------------------------------------------
 1 | ARG BASE=cgr.dev/chainguard/static
 2 | 
 3 | FROM cgr.dev/chainguard/gcc-glibc as build
 4 | 
 5 | COPY hello.c /hello.c
 6 | RUN cc -static /hello.c -o /hello
 7 | 
 8 | FROM $BASE
 9 | 
10 | COPY --from=build /hello /usr/local/bin/
11 | CMD ["hello"]
12 | 


--------------------------------------------------------------------------------
/images/static/examples/Dockerfile.golang:
--------------------------------------------------------------------------------
 1 | ARG BASE=cgr.dev/chainguard/static
 2 | 
 3 | FROM cgr.dev/chainguard/go as build
 4 | 
 5 | COPY main.go /main.go
 6 | RUN CGO_ENABLED=0 go build -o /hello /main.go
 7 | 
 8 | FROM $BASE
 9 | COPY --from=build /hello /usr/local/bin/
10 | CMD ["hello"]
11 | 


--------------------------------------------------------------------------------
/images/gcc-musl/tests/01-version.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | set -o errexit -o nounset -o errtrace -o pipefail -x
 4 | 
 5 | if [[ "${IMAGE_NAME}" == "" ]]; then
 6 |     echo "Must set IMAGE_NAME environment variable. Exiting."
 7 |     exit 1
 8 | fi
 9 | 
10 | docker run --rm $IMAGE_NAME --version
11 | 


--------------------------------------------------------------------------------
/.github/dependabot.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | version: 2
 3 | updates:
 4 |   - package-ecosystem: "github-actions"
 5 |     directory: "/"
 6 |     schedule:
 7 |       interval: "daily"
 8 |     open-pull-requests-limit: 10
 9 |   - package-ecosystem: terraform
10 |     directory: "/"
11 |     schedule:
12 |       interval: "daily"
13 | 


--------------------------------------------------------------------------------
/images/musl-dynamic/README.md:
--------------------------------------------------------------------------------
1 | ```
2 | docker pull ghcr.io/wolfi-dev/musl-dynamic:latest
3 | ```
4 | # Usage
5 | 
6 | See the [examples/](https://github.com/chainguard-images/images/tree/main/images/musl-dynamic/examples) directory for
7 | an example C program and associated Dockerfile
8 | that can be used with this image.
9 | 


--------------------------------------------------------------------------------
/images/alpine-base/examples/go/Dockerfile:
--------------------------------------------------------------------------------
 1 | ARG BASE=ghcr.io/wolfi-dev/alpine-base
 2 | 
 3 | FROM golang:1.18@sha256:50c889275d26f816b5314fc99f55425fa76b18fcaf16af255f5d57f09e1f48da as build
 4 | WORKDIR /go/src/app
 5 | COPY . .
 6 | RUN go build -o /go/bin/app
 7 | 
 8 | FROM $BASE
 9 | COPY --from=build /go/bin/app /
10 | CMD ["/app"]
11 | 


--------------------------------------------------------------------------------
/images/static/examples/Dockerfile.rust:
--------------------------------------------------------------------------------
 1 | ARG BASE=cgr.dev/chainguard/static
 2 | 
 3 | FROM cgr.dev/chainguard/rust as build
 4 | 
 5 | RUN echo 'fn main() { println!("Hello"); }' > hello.rs
 6 | RUN rustc -C target-feature=+crt-static hello.rs
 7 | 
 8 | FROM $BASE
 9 | 
10 | COPY --from=build /work/hello /usr/local/bin/
11 | CMD ["hello"]
12 | 


--------------------------------------------------------------------------------
/images/busybox/tests/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     oci = { source = "chainguard-dev/oci" }
 4 |   }
 5 | }
 6 | 
 7 | variable "digest" {
 8 |   description = "The image digest to run tests over."
 9 | }
10 | 
11 | data "oci_exec_test" "runs" {
12 |   digest = var.digest
13 |   script = "${path.module}/runs.sh"
14 | }
15 | 


--------------------------------------------------------------------------------
/images/alpine-base/README.md:
--------------------------------------------------------------------------------
1 | Alpine base image built with [apko](https://github.com/chainguard-dev/apko). Uses packages from the [Alpine distribution](https://www.alpinelinux.org/).
2 | 
3 | ```
4 | docker run ghcr.io/wolfi-dev/alpine-base echo "hello"
5 | ```
6 | 
7 | See the [examples/](./examples/) directory for how
8 | to use this as a base image.
9 | 


--------------------------------------------------------------------------------
/images/alpine-base/tests/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     oci  = { source = "chainguard-dev/oci" }
 4 |   }
 5 | }
 6 | 
 7 | variable "digest" {
 8 |   description = "The image digest to run tests over."
 9 | }
10 | 
11 | data "oci_exec_test" "echo" {
12 |   digest = var.digest
13 |   script = "${path.module}/01-echo.sh"
14 | }
15 | 


--------------------------------------------------------------------------------
/images/gcc-musl/tests/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     oci  = { source = "chainguard-dev/oci" }
 4 |   }
 5 | }
 6 | 
 7 | variable "digest" {
 8 |   description = "The image digest to run tests over."
 9 | }
10 | 
11 | data "oci_exec_test" "echo" {
12 |   digest = var.digest
13 |   script = "${path.module}/01-version.sh"
14 | }
15 | 


--------------------------------------------------------------------------------
/images/sdk/tests/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     oci  = { source = "chainguard-dev/oci" }
 4 |   }
 5 | }
 6 | 
 7 | variable "digest" {
 8 |   description = "The image digest to run tests over."
 9 | }
10 | 
11 | data "oci_exec_test" "echo" {
12 |   digest = var.digest
13 |   script = "${path.module}/01-has-all-tools.sh"
14 | }
15 | 


--------------------------------------------------------------------------------
/images/musl-dynamic/tests/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     oci  = { source = "chainguard-dev/oci" }
 4 |   }
 5 | }
 6 | 
 7 | variable "digest" {
 8 |   description = "The image digest to run tests over."
 9 | }
10 | 
11 | data "oci_exec_test" "echo" {
12 |   digest = var.digest
13 |   script = "${path.module}/01-dockerfile-c-build.sh"
14 | }
15 | 


--------------------------------------------------------------------------------
/images/static/tests/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     oci = { source = "chainguard-dev/oci" }
 4 |   }
 5 | }
 6 | 
 7 | variable "digest" {
 8 |   description = "The image digest to run tests over."
 9 | }
10 | 
11 | data "oci_exec_test" "version" {
12 |   digest      = var.digest
13 |   script      = "./01-multi-dockerfile-build.sh"
14 |   working_dir = path.module
15 | }
16 | 


--------------------------------------------------------------------------------
/images/gcc-musl/configs/latest.apko.yaml:
--------------------------------------------------------------------------------
 1 | contents:
 2 |   packages:
 3 |     - ca-certificates-bundle
 4 |     - alpine-baselayout-data
 5 |     - alpine-release==3
 6 |     - gcc
 7 |     - musl-dev==1
 8 |     - busybox
 9 | 
10 | paths:
11 |   - path: /work
12 |     type: directory
13 |     permissions: 0o777
14 | 
15 | work-dir: /work
16 | 
17 | entrypoint:
18 |   command: /usr/bin/gcc
19 | cmd: --help
20 | 


--------------------------------------------------------------------------------
/images/spdx-tools/configs/latest.apko.yaml:
--------------------------------------------------------------------------------
 1 | contents:
 2 |   packages:
 3 |     - busybox
 4 |     - spdx-tools-java
 5 | 
 6 | environment:
 7 |   LANG: en_US.UTF-8
 8 |   JAVA_HOME: /usr/lib/jvm/default-jvm
 9 | 
10 | accounts:
11 |   groups:
12 |   - gid: 65532
13 |     groupname: nonroot
14 |   users:
15 |   - uid: 65532
16 |     gid: 65532
17 |     username: nonroot
18 |   run-as: "65532"
19 | 
20 | entrypoint:
21 |   command: /usr/bin/tools-java
22 | 


--------------------------------------------------------------------------------
/images/musl-dynamic/tests/01-dockerfile-c-build.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | set -o errexit -o nounset -o errtrace -o pipefail -x
 4 | 
 5 | if [[ "${IMAGE_NAME}" == "" ]]; then
 6 |     echo "Must set IMAGE_NAME environment variable. Exiting."
 7 |     exit 1
 8 | fi
 9 | 
10 | cd "$(dirname ${BASH_SOURCE[0]})/.."
11 | 
12 | docker build --build-arg BASE="${IMAGE_NAME}" --tag smoke-test --file examples/Dockerfile.c examples
13 | docker run --rm smoke-test
14 | 


--------------------------------------------------------------------------------
/tflib/version-tags/main.tf:
--------------------------------------------------------------------------------
 1 | variable "config" {
 2 |   description = "The resolved apko configuration."
 3 | }
 4 | 
 5 | variable "package" {
 6 |   type        = string
 7 |   description = "The name of the package from which to extract version tags."
 8 | }
 9 | 
10 | output "tag_list" {
11 |     value = [
12 |     for x in var.config.contents.packages : regexall("(((([a-z0-9]+)(?:[.][a-z0-9]+)?)(?:[.][a-z0-9]+)?)(?:[-][a-z0-9]+)?)", trimprefix(x, "${var.package}=")) if startswith(x, "${var.package}=")
13 |   ][0][0]
14 | }
15 | 


--------------------------------------------------------------------------------
/images/static/alpine.tf:
--------------------------------------------------------------------------------
 1 | module "alpine" {
 2 |   providers = {
 3 |     apko = apko.alpine
 4 |   }
 5 |   source  = "chainguard-dev/apko/publisher"
 6 |   version = "0.0.17"
 7 | 
 8 |   target_repository = var.target_repository
 9 |   config            = file("${path.module}/configs/alpine.apko.yaml")
10 |   extra_packages    = [] # Override the default, which includes `wolfi-baselayout`
11 |   check_sbom        = false
12 | }
13 | 
14 | module "test-alpine" {
15 |   source = "./tests"
16 |   digest = module.alpine.image_ref
17 | }
18 | 


--------------------------------------------------------------------------------
/images/busybox/alpine.tf:
--------------------------------------------------------------------------------
 1 | module "alpine" { source = "./config/alpine" }
 2 | 
 3 | module "latest-alpine" {
 4 |   providers = { apko = apko.alpine }
 5 | 
 6 |   source  = "chainguard-dev/apko/publisher"
 7 |   version = "0.0.17"
 8 | 
 9 |   target_repository = var.target_repository
10 |   config            = module.alpine.config
11 |   # Override the module's default wolfi packages that conflict with alpine
12 |   extra_packages = []
13 | }
14 | 
15 | module "test-latest-alpine" {
16 |   source = "./tests"
17 |   digest = module.latest-alpine.image_ref
18 | }
19 | 


--------------------------------------------------------------------------------
/images/static/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     oci = { source = "chainguard-dev/oci" }
 4 |     apko = {
 5 |       source                = "chainguard-dev/apko"
 6 |       configuration_aliases = [apko.alpine]
 7 |     }
 8 |   }
 9 | }
10 | 
11 | variable "target_repository" {
12 |   description = "The docker repo into which the image and attestations should be published."
13 | }
14 | 
15 | resource "oci_tag" "alpine" {
16 |   depends_on = [module.test-alpine]
17 |   digest_ref = module.alpine.image_ref
18 |   tag        = "alpine"
19 | }
20 | 


--------------------------------------------------------------------------------
/images/busybox/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     oci = { source = "chainguard-dev/oci" }
 4 |     apko = {
 5 |       source                = "chainguard-dev/apko"
 6 |       configuration_aliases = [apko.alpine]
 7 |     }
 8 |   }
 9 | }
10 | 
11 | variable "target_repository" {
12 |   description = "The docker repo into which the image and attestations should be published."
13 | }
14 | 
15 | resource "oci_tag" "alpine" {
16 |   depends_on = [module.test-latest-alpine]
17 |   digest_ref = module.latest-alpine.image_ref
18 |   tag        = "alpine"
19 | }
20 | 


--------------------------------------------------------------------------------
/images/git/tests/repo-clone.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | set -o errexit -o nounset -o errtrace -o pipefail -x
 4 | 
 5 | CLONE_URL=${CLONE_URL:-"https://github.com/chainguard-images/.github.git"}
 6 | 
 7 | CLONEDIR="$(mktemp -d)"
 8 | chmod go+wrx "${CLONEDIR}"
 9 | 
10 | # TODO: re-enable this delete. After performing the clone
11 | # in some cases, this results in a "permission denied" error
12 | # trap "rm -rf ${CLONEDIR}" EXIT
13 | 
14 | # Try cloning a repo and check for README.md
15 | pushd "${CLONEDIR}"
16 | docker run --rm -v "${PWD}":/w -w /w $IMAGE_NAME clone --depth 1 $CLONE_URL .
17 | popd
18 | find "${CLONEDIR}/README.md" && echo "Smoketest passed."
19 | 


--------------------------------------------------------------------------------
/images/static/tests/01-multi-dockerfile-build.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | set -o errexit -o nounset -o errtrace -o pipefail -x
 4 | 
 5 | cd "$(dirname ${BASH_SOURCE[0]})/.."
 6 | 
 7 | # Using registry.local:5000 as the BASE arg in `docker build` fails with
 8 | # current versions of docker that use containerd under the hood.
 9 | # Pre-pulling it uses docker's heuristics for allowing insecure registries.
10 | docker pull ${IMAGE_NAME}
11 | 
12 | for lang in c golang rust; do
13 |   docker build --build-arg BASE=${IMAGE_NAME} --tag smoke-test-${lang}-${FREE_PORT} --file examples/Dockerfile.${lang} examples
14 |   docker run --rm smoke-test-${lang}-${FREE_PORT}
15 | done
16 | 


--------------------------------------------------------------------------------
/images/gcc-musl/DEVELOPMENT.md:
--------------------------------------------------------------------------------
 1 | # gcc-musl Development
 2 | 
 3 | This doc covers building the gcc-musl image locally with apko, and using it with Docker.
 4 | 
 5 | ## Building -musl Locally
 6 | 
 7 | First build the image first using apko:
 8 | ```
 9 | apko build apko.yaml gcc-musl:devel gcc-musl.tar
10 | ```
11 | 
12 | Next, load the image from the tarball:
13 | ```
14 | docker load < gcc-musl.tar
15 | ```
16 | 
17 | Try building something:
18 | ```
19 | docker run --rm -v "${PWD}:/work" -w /work/examples/hello \
20 |     gcc-musl:devel main.c -o /work/hello
21 | ```
22 | 
23 | Finally, try running it:
24 | ```
25 | docker run --rm -v "${PWD}:/work" --entrypoint /work/hello \
26 |     gcc-musl:devel
27 | ```
28 | 


--------------------------------------------------------------------------------
/images/git/tests/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     oci = { source = "chainguard-dev/oci" }
 4 |   }
 5 | }
 6 | 
 7 | variable "digest" {
 8 |   description = "The image digest to run tests over."
 9 | }
10 | 
11 | variable "check-dev" {
12 |   default = false
13 | }
14 | 
15 | data "oci_exec_test" "version" {
16 |   digest = var.digest
17 |   script = "docker run --rm $IMAGE_NAME --version"
18 | }
19 | 
20 | data "oci_exec_test" "submodule" {
21 |   count = var.check-dev ? 1 : 0
22 | 
23 |   digest = var.digest
24 |   script = "docker run --rm $IMAGE_NAME submodule -h"
25 | }
26 | 
27 | data "oci_exec_test" "clone" {
28 |   digest = var.digest
29 |   script = "${path.module}/repo-clone.sh"
30 | }
31 | 


--------------------------------------------------------------------------------
/images/spdx-tools/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     apko = { source = "chainguard-dev/apko" }
 4 |     oci  = { source = "chainguard-dev/oci" }
 5 |   }
 6 | }
 7 | 
 8 | variable "target_repository" {
 9 |   description = "The docker repo into which the image and attestations should be published."
10 | }
11 | 
12 | module "latest" {
13 |   source  = "chainguard-dev/apko/publisher"
14 |   version = "0.0.17"
15 | 
16 |   target_repository = var.target_repository
17 |   config            = file("${path.module}/configs/latest.apko.yaml")
18 |   check_sbom        = true
19 | }
20 | 
21 | resource "oci_tag" "version-tags" {
22 |   digest_ref = module.latest.image_ref
23 |   tag        = "latest"
24 | }
25 | 


--------------------------------------------------------------------------------
/images/busybox/config/alpine/main.tf:
--------------------------------------------------------------------------------
 1 | variable "extra_packages" {
 2 |   description = "Extra packages to install."
 3 |   type        = list(string)
 4 |   default     = []
 5 | }
 6 | 
 7 | output "config" {
 8 |   value = jsonencode({
 9 |     contents = {
10 |       packages = concat([
11 |         "busybox",
12 |         "ssl_client", # ssl_client allows the busybox wget applet to use https.
13 |       ], var.extra_packages)
14 |     }
15 |     accounts = {
16 |       groups = [{
17 |         groupname = "nonroot"
18 |         gid       = 65532
19 |       }]
20 |       users = [{
21 |         username = "nonroot"
22 |         uid      = 65532
23 |         gid      = 65532
24 |       }]
25 |       run-as = 65532
26 |     }
27 |   })
28 | }
29 | 


--------------------------------------------------------------------------------
/images/git/alpine.tf:
--------------------------------------------------------------------------------
 1 | module "alpine" {
 2 |   for_each           = local.accounts
 3 |   source             = "./config"
 4 |   root               = each.key == "root"
 5 |   extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/community"]
 6 | }
 7 | 
 8 | module "latest-alpine" {
 9 |   providers = {
10 |     apko = apko.alpine
11 |   }
12 |   for_each = local.accounts
13 |   source   = "chainguard-dev/apko/publisher"
14 |   version  = "0.0.17"
15 | 
16 |   target_repository = var.target_repository
17 |   config            = module.alpine[each.key].config
18 |   extra_packages    = [] // Don't add wolfi-baselayout
19 | }
20 | 
21 | module "test-latest-alpine" {
22 |   for_each = local.accounts
23 |   source   = "./tests"
24 |   digest   = module.latest-alpine[each.key].image_ref
25 | }
26 | 


--------------------------------------------------------------------------------
/images/git/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     oci = { source = "chainguard-dev/oci" }
 4 |     apko = {
 5 |       source                = "chainguard-dev/apko"
 6 |       configuration_aliases = [apko.alpine]
 7 |     }
 8 |   }
 9 | }
10 | 
11 | locals {
12 |   accounts = toset(["nonroot", "root"])
13 | }
14 | 
15 | variable "target_repository" {
16 |   description = "The docker repo into which the image and attestations should be published."
17 | }
18 | 
19 | resource "oci_tag" "alpine" {
20 |   depends_on = [module.test-latest-alpine]
21 |   digest_ref = module.latest-alpine["nonroot"].image_ref
22 |   tag        = "alpine"
23 | }
24 | 
25 | resource "oci_tag" "alpine-root" {
26 |   depends_on = [module.test-latest-alpine]
27 |   digest_ref = module.latest-alpine["root"].image_ref
28 |   tag        = "alpine-root"
29 | }
30 | 


--------------------------------------------------------------------------------
/images/busybox/tests/runs.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | set -o errexit -o nounset -o errtrace -o pipefail -x
 4 | 
 5 | docker run --rm $IMAGE_NAME ls >/dev/null
 6 | 
 7 | # The image runs as nonroot by default.
 8 | docker run --rm --entrypoint '' $IMAGE_NAME whoami | grep "^nonroot$"
 9 | 
10 | # The image contains many common utilities (some in /usr/bin and some in /bin)
11 | for cmd in awk basename cat chmod chown cp cut date dirname du echo egrep expr find grep head id ln ls mkdir mktemp mv printf pwd rm rmdir sed sh sort tail tar tee test touch tr uname uniq wc xargs; do
12 | 	docker run --rm $IMAGE_NAME which $cmd | grep "/bin/$cmd$"
13 | done
14 | 
15 | # The image can be used as a base image.
16 | cat <<EOF | docker build -t version -
17 | FROM ${IMAGE_NAME}
18 | RUN busybox
19 | ENTRYPOINT ["busybox"]
20 | EOF
21 | docker run --rm version | grep "BusyBox .* multi-call binary."
22 | 


--------------------------------------------------------------------------------
/images/sdk/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     apko = { source = "chainguard-dev/apko" }
 4 |     oci  = { source = "chainguard-dev/oci" }
 5 |   }
 6 | }
 7 | 
 8 | variable "target_repository" {
 9 |   description = "The docker repo into which the image and attestations should be published."
10 | }
11 | 
12 | module "latest" {
13 |   source  = "chainguard-dev/apko/publisher"
14 |   version = "0.0.17"
15 | 
16 |   target_repository = var.target_repository
17 |   config            = file("${path.module}/configs/latest.apko.yaml")
18 |   check_sbom        = false // chainctl doesn't use SPDX compliant license
19 | }
20 | 
21 | module "test-latest" {
22 |   source = "./tests"
23 |   digest = module.latest.image_ref
24 | }
25 | 
26 | resource "oci_tag" "version-tags" {
27 |   depends_on = [module.test-latest]
28 |   digest_ref = module.latest.image_ref
29 |   tag        = "latest"
30 | }
31 | 


--------------------------------------------------------------------------------
/images/sdk/configs/latest.apko.yaml:
--------------------------------------------------------------------------------
 1 | contents:
 2 |   repositories:
 3 |     - https://packages.cgr.dev/extras
 4 |   keyring:
 5 |     - https://packages.cgr.dev/extras/chainguard-extras.rsa.pub
 6 |   packages:
 7 |     - apk-tools
 8 |     - apko
 9 |     - bash
10 |     - bash-completion
11 |     - bubblewrap
12 |     - busybox
13 |     - ca-certificates-bundle
14 |     - chainctl
15 |     - curl
16 |     - docker
17 |     - docker-dind
18 |     - git
19 |     - gitsign
20 |     - go
21 |     - goimports
22 |     - grype
23 |     - jq
24 |     - make
25 |     - malcontent
26 |     - melange
27 |     - mount
28 |     - qemu
29 |     - spdx-tools-java
30 |     - tree
31 |     - wolfi-baselayout
32 |     - wolfictl
33 |     - yam
34 | 
35 | environment:
36 |   COLORTERM: truecolor
37 |   TERM: xterm-256color
38 | 
39 | entrypoint:
40 |   command: /bin/bash
41 | 
42 | volumes:
43 |   - "/var/lib/docker"
44 | 
45 | layering:
46 |   strategy: "origin"
47 |   budget: 20
48 | 


--------------------------------------------------------------------------------
/images/apko/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     apko = { source = "chainguard-dev/apko" }
 4 |     oci  = { source = "chainguard-dev/oci" }
 5 |   }
 6 | }
 7 | 
 8 | variable "target_repository" {
 9 |   description = "The docker repo into which the image and attestations should be published."
10 | }
11 | 
12 | module "latest" {
13 |   source  = "chainguard-dev/apko/publisher"
14 |   version = "0.0.17"
15 | 
16 |   target_repository = var.target_repository
17 |   config = jsonencode({
18 |     contents = {
19 |       packages = ["apko"]
20 |     }
21 |     entrypoint = {
22 |       command = "/usr/bin/apko"
23 |     }
24 |   })
25 |   check_sbom = true
26 | }
27 | 
28 | data "oci_exec_test" "version" {
29 |   digest = module.latest.image_ref
30 |   script = "docker run --rm $${IMAGE_NAME} version"
31 | }
32 | 
33 | resource "oci_tag" "latest" {
34 |   depends_on = [data.oci_exec_test.version]
35 |   digest_ref = module.latest.image_ref
36 |   tag        = "latest"
37 | }
38 | 


--------------------------------------------------------------------------------
/images/sdk/tests/01-has-all-tools.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | set -o errexit -o nounset -o errtrace -o pipefail
 4 | 
 5 | IMAGE_NAME=${IMAGE_NAME:-"unset"}
 6 | if [[ "${IMAGE_NAME}" == "unset" ]]; then
 7 |     echo "Must set IMAGE_NAME in the environment. Exiting."
 8 |     exit 1
 9 | fi
10 | 
11 | docker run --rm --entrypoint bash "${IMAGE_NAME}" -xc \
12 |     'which goimports &&
13 |      tree --version &&
14 |      go version &&
15 |      make --version &&
16 |      curl --version &&
17 |      git version &&
18 |      apk --version &&
19 |      bwrap --version &&
20 |      melange version &&
21 |      apko version &&
22 |      wolfictl version'
23 | 
24 | # Check that everything is up to date
25 | # Freshly minted image, should be fully up to date, this however will
26 | # catch any package renames/provides that apko resolved using out of
27 | # date packages, due to packaging mistakes or ongoing transitions
28 | docker run --rm --entrypoint bash "${IMAGE_NAME}" -xc \
29 |      'apk update; apk upgrade --all --latest || true'
30 | 


--------------------------------------------------------------------------------
/images/alpine-base/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     apko = {
 4 |       source                = "chainguard-dev/apko"
 5 |       configuration_aliases = [apko.alpine]
 6 |     }
 7 |     oci = { source = "chainguard-dev/oci" }
 8 |   }
 9 | }
10 | 
11 | variable "target_repository" {
12 |   description = "The docker repo into which the image and attestations should be published."
13 | }
14 | 
15 | module "latest" {
16 |   providers = { apko = apko.alpine }
17 | 
18 |   source  = "chainguard-dev/apko/publisher"
19 |   version = "0.0.17"
20 | 
21 |   target_repository = var.target_repository
22 |   config            = file("${path.module}/configs/latest.apko.yaml")
23 |   extra_packages    = [] # The default pulls in alpine-baselayout which cannot be used in alpine
24 | }
25 | 
26 | module "test-latest" {
27 |   source = "./tests"
28 |   digest = module.latest.image_ref
29 | }
30 | 
31 | resource "oci_tag" "version-tags" {
32 |   depends_on = [module.test-latest]
33 |   digest_ref = module.latest.image_ref
34 |   tag        = "latest"
35 | }
36 | 


--------------------------------------------------------------------------------
/tflib/publisher/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     cosign = {
 4 |       source  = "chainguard-dev/cosign"
 5 |       version = "0.0.20"
 6 |     }
 7 |     apko = {
 8 |       source  = "chainguard-dev/apko"
 9 |       version = "0.20.3"
10 |     }
11 |   }
12 | }
13 | 
14 | variable "target_repository" {}
15 | 
16 | variable "config" {}
17 | 
18 | variable "extra_packages" {
19 |   type    = list(string)
20 |   default = ["wolfi-baselayout"]
21 | }
22 | 
23 | variable "check_sbom" {
24 |   type        = bool
25 |   default     = false
26 |   description = "Whether to run the NTIA conformance checker over the images we produce prior to attesting the SBOMs."
27 | }
28 | 
29 | module "this" {
30 |   source  = "chainguard-dev/apko/publisher"
31 |   version = "0.0.16"
32 | 
33 |   target_repository = var.target_repository
34 |   config            = var.config
35 |   extra_packages    = var.extra_packages
36 |   check_sbom        = var.check_sbom
37 | }
38 | 
39 | output "image_ref" {
40 |   value = module.this.image_ref
41 | }
42 | 
43 | output "config" {
44 |   value = module.this.config
45 | }
46 | 


--------------------------------------------------------------------------------
/images/git/config/main.tf:
--------------------------------------------------------------------------------
 1 | variable "extra_packages" {
 2 |   description = "Extra packages to install."
 3 |   type        = list(string)
 4 |   default     = []
 5 | }
 6 | 
 7 | variable "extra_repositories" {
 8 |   description = "Extra repositories to add."
 9 |   type        = list(string)
10 |   default     = []
11 | }
12 | 
13 | variable "root" {
14 |   description = "Whether to run as root."
15 |   type        = bool
16 |   default     = false
17 | }
18 | 
19 | output "config" {
20 |   value = jsonencode({
21 |     contents = {
22 |       repositories = var.extra_repositories
23 |       packages = concat([
24 |         "git",
25 |         "git-lfs",
26 |         "openssh-client",
27 |       ], var.extra_packages)
28 |     }
29 |     accounts = {
30 |       groups = [{
31 |         groupname = "git"
32 |         gid       = 65532
33 |       }]
34 |       users = [{
35 |         username = "git"
36 |         uid      = 65532
37 |         gid      = 65532
38 |       }]
39 |       run-as = var.root ? 0 : 65532
40 |     }
41 |     entrypoint = {
42 |       command = "/usr/bin/git"
43 |     }
44 |     work-dir = "/home/git"
45 |   })
46 | }
47 | 


--------------------------------------------------------------------------------
/.github/workflows/presubmit-build.yaml:
--------------------------------------------------------------------------------
 1 | on:
 2 |   pull_request:
 3 |     branches:
 4 |       - 'main'
 5 | 
 6 | permissions:
 7 |   contents: read # Needed to clone the repo
 8 | 
 9 | jobs:
10 |   alpine-base:
11 |     uses: ./.github/workflows/.build.yaml
12 |     with:
13 |       image: alpine-base
14 | 
15 |   apko:
16 |     uses: ./.github/workflows/.build.yaml
17 |     with:
18 |       image: apko
19 | 
20 |   gcc-musl:
21 |     uses: ./.github/workflows/.build.yaml
22 |     with:
23 |       image: gcc-musl
24 | 
25 |   musl-dynamic:
26 |     uses: ./.github/workflows/.build.yaml
27 |     with:
28 |       image: musl-dynamic
29 | 
30 |   sdk:
31 |     uses: ./.github/workflows/.build.yaml
32 |     with:
33 |       image: sdk
34 | 
35 |   static-alpine:
36 |     uses: ./.github/workflows/.build.yaml
37 |     with:
38 |       image: static
39 | 
40 |   git-alpine:
41 |     uses: ./.github/workflows/.build.yaml
42 |     with:
43 |       image: git
44 | 
45 |   busybox-alpine:
46 |     uses: ./.github/workflows/.build.yaml
47 |     with:
48 |       image: busybox
49 | 
50 |   spdx-tools:
51 |     uses: ./.github/workflows/.build.yaml
52 |     with:
53 |       image: spdx-tools
54 | 


--------------------------------------------------------------------------------
/images/gcc-musl/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     apko = {
 4 |       source                = "chainguard-dev/apko"
 5 |       configuration_aliases = [apko.alpine]
 6 |     }
 7 |     oci = { source = "chainguard-dev/oci" }
 8 |   }
 9 | }
10 | 
11 | variable "target_repository" {
12 |   description = "The docker repo into which the image and attestations should be published."
13 | }
14 | 
15 | module "latest" {
16 |   providers = { apko = apko.alpine }
17 |   source    = "chainguard-dev/apko/publisher"
18 |   version   = "0.0.17"
19 | 
20 |   target_repository = var.target_repository
21 |   config            = file("${path.module}/configs/latest.apko.yaml")
22 |   extra_packages    = [] # The default pulls in wolfi-baselayout which cannot be used in alpine
23 | }
24 | 
25 | module "test-latest" {
26 |   source = "./tests"
27 |   digest = module.latest.image_ref
28 | }
29 | 
30 | module "version-tags" {
31 |   source  = "../../tflib/version-tags"
32 |   package = "gcc"
33 |   config  = module.latest.config
34 | }
35 | 
36 | resource "oci_tag" "version-tags" {
37 |   depends_on = [module.test-latest]
38 |   for_each   = toset(concat(["latest"], module.version-tags.tag_list))
39 |   digest_ref = module.latest.image_ref
40 |   tag        = each.key
41 | }
42 | 


--------------------------------------------------------------------------------
/images/musl-dynamic/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     apko = {
 4 |       source                = "chainguard-dev/apko"
 5 |       configuration_aliases = [apko.alpine]
 6 |     }
 7 |     oci = { source = "chainguard-dev/oci" }
 8 |   }
 9 | }
10 | 
11 | variable "target_repository" {
12 |   description = "The docker repo into which the image and attestations should be published."
13 | }
14 | 
15 | module "latest" {
16 |   providers = { apko = apko.alpine }
17 |   source    = "chainguard-dev/apko/publisher"
18 |   version   = "0.0.17"
19 | 
20 |   target_repository = var.target_repository
21 |   config            = file("${path.module}/configs/latest.apko.yaml")
22 |   extra_packages    = [] # The default pulls in wolfi-baselayout which cannot be used in alpine
23 | }
24 | 
25 | module "test-latest" {
26 |   source = "./tests"
27 |   digest = module.latest.image_ref
28 | }
29 | 
30 | module "version-tags" {
31 |   source  = "../../tflib/version-tags"
32 |   package = "musl"
33 |   config  = module.latest.config
34 | }
35 | 
36 | resource "oci_tag" "version-tags" {
37 |   depends_on = [module.test-latest]
38 |   for_each   = toset(concat(["latest"], module.version-tags.tag_list))
39 |   digest_ref = module.latest.image_ref
40 |   tag        = each.key
41 | }
42 | 


--------------------------------------------------------------------------------
/images/gcc-musl/README.md:
--------------------------------------------------------------------------------
 1 | Minimal container image for building C applications (which do not require glibc).
 2 | 
 3 | ## Get It!
 4 | 
 5 | The image is available on `cgr.dev`:
 6 | 
 7 | ```
 8 | docker pull ghcr.io/wolfi-dev/gcc-musl:latest
 9 | ```
10 | 
11 | ## Usage
12 | 
13 | To build the C application in [examples/hello/main.c](https://github.com/chainguard-images/images/blob/main/images/gcc-glibc/examples/hello/main.c):
14 | 
15 | ```
16 | $ docker run --rm -v "${PWD}:/work" ghcr.io/wolfi-dev/gcc-musl examples/hello/main.c -o hello
17 | ```
18 | 
19 | This will write a Linux binary to `./hello`. If you're on Linux and have the musl library, you
20 | should be able to run it directly. Otherwise you can run it in a container e.g:
21 | 
22 | ```
23 | $ docker run --rm -v "$PWD/hello:/hello" ghcr.io/wolfi-dev/musl-dynamic /hello
24 | Hello World!
25 | ```
26 | 
27 | We can also do this all in a multi-stage Dockerfile e.g:
28 | 
29 | ```Dockerfile
30 | FROM ghcr.io/wolfi-dev/gcc-musl as build
31 | 
32 | COPY hello.c /work/hello.c
33 | RUN cc hello.c -o hello
34 | 
35 | FROM ghcr.io/wolfi-dev/musl-dynamic
36 | 
37 | COPY --from=build /work/hello /hello
38 | CMD ["/hello"]
39 | ```
40 | 
41 | And we can also compile statically to be used in environments without musl:
42 | 
43 | 
44 | ```Dockerfile
45 | FROM ghcr.io/wolfi-dev/gcc-musl as build
46 | 
47 | COPY hello.c /work/hello.c
48 | RUN cc --static hello.c -o hello
49 | 
50 | FROM cgr.dev/chainguard/static
51 | 
52 | COPY --from=build /work/hello /hello
53 | CMD ["/hello"]
54 | ```
55 | 


--------------------------------------------------------------------------------
/.github/workflows/release.yaml:
--------------------------------------------------------------------------------
 1 | on:
 2 |   push:
 3 |     branches:
 4 |       - main
 5 |   schedule:
 6 |     - cron: '0 1 * * *'
 7 |   workflow_dispatch:
 8 | 
 9 | concurrency: release
10 | 
11 | permissions:
12 |   contents: read  # Needed to clone the repo
13 |   id-token: write # Needed to sign images
14 |   packages: write # Needed to publish images to GHCR
15 | 
16 | jobs:
17 |   alpine-base:
18 |     uses: ./.github/workflows/.build.yaml
19 |     with:
20 |       image: alpine-base
21 |       registry: ghcr.io/wolfi-dev
22 | 
23 |   apko:
24 |     uses: ./.github/workflows/.build.yaml
25 |     with:
26 |       image: apko
27 |       registry: ghcr.io/wolfi-dev
28 | 
29 |   gcc-musl:
30 |     uses: ./.github/workflows/.build.yaml
31 |     with:
32 |       image: gcc-musl
33 |       registry: ghcr.io/wolfi-dev
34 | 
35 |   musl-dynamic:
36 |     uses: ./.github/workflows/.build.yaml
37 |     with:
38 |       image: musl-dynamic
39 |       registry: ghcr.io/wolfi-dev
40 | 
41 |   sdk:
42 |     uses: ./.github/workflows/.build.yaml
43 |     with:
44 |       image: sdk
45 |       registry: ghcr.io/wolfi-dev
46 | 
47 |   static-alpine:
48 |     uses: ./.github/workflows/.build.yaml
49 |     with:
50 |       image: static
51 |       registry: ghcr.io/wolfi-dev
52 | 
53 |   git-alpine:
54 |     uses: ./.github/workflows/.build.yaml
55 |     with:
56 |       image: git
57 |       registry: ghcr.io/wolfi-dev
58 | 
59 |   busybox-alpine:
60 |     uses: ./.github/workflows/.build.yaml
61 |     with:
62 |       image: busybox
63 |       registry: ghcr.io/wolfi-dev
64 | 
65 |   spdx-tools:
66 |     uses: ./.github/workflows/.build.yaml
67 |     with:
68 |       image: spdx-tools
69 |       registry: ghcr.io/wolfi-dev
70 | 


--------------------------------------------------------------------------------
/.github/workflows/.build.yaml:
--------------------------------------------------------------------------------
 1 | name: Reusable build workflow
 2 | 
 3 | on:
 4 |   workflow_call:
 5 |     inputs:
 6 |       image:
 7 |         required: true
 8 |         type: string
 9 |       registry:
10 |         required: false
11 |         type: string
12 |         default: ''
13 | 
14 | jobs:
15 |   publish:
16 |     runs-on: ubuntu-latest
17 |     steps:
18 |       - name: Harden Runner
19 |         uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
20 |         with:
21 |           egress-policy: audit
22 | 
23 |       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
24 |         with:
25 |           persist-credentials: false
26 | 
27 |       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
28 |         with:
29 |           terraform_version: '1.10.*'
30 |           terraform_wrapper: false
31 | 
32 |       # Setup local registry
33 |       - uses: chainguard-dev/actions/setup-registry@3e8a2a226fad9e1ecbf2d359b8a7697554a4ac6d # v1.5.10
34 |         if: inputs.registry == ''
35 |         with:
36 |           port: 5000
37 | 
38 |       # Auth to GitHub Container Registry (ghcr.io)
39 |       - name: Login to registry
40 |         if: inputs.registry != ''
41 |         run: |
42 |           set -x
43 |           echo "${{ github.token }}" | docker login \
44 |             -u "${{ github.repository_owner }}" \
45 |             --password-stdin ghcr.io
46 | 
47 |       # Build and push image using terraform-provider-apko
48 |       - name: Build image with apko/terraform
49 |         env:
50 |           TF_VAR_target_repository: ${{ inputs.registry != '' && inputs.registry || format('localhost:5000/{0}', inputs.image) }}
51 |         run: |
52 |           set -x
53 |           terraform init
54 |           terraform apply -auto-approve -target=module.${{inputs.image}}
55 | 


--------------------------------------------------------------------------------
/images/sdk/README.md:
--------------------------------------------------------------------------------
 1 | # sdk
 2 | 
 3 | Development image for [melange](https://github.com/chainguard-dev/melange) and [apko](https://github.com/chainguard-dev/apko).
 4 | 
 5 | ## Get It!
 6 | 
 7 | The image is available on `ghcr.io`:
 8 | 
 9 | ```
10 | docker pull ghcr.io/wolfi-dev/sdk:latest
11 | ```
12 | 
13 | ## Usage
14 | 
15 | ### With melange
16 | 
17 | Clone down your development fork/branch:
18 | 
19 | ```
20 | git clone https://github.com/chainguard-dev/melange.git
21 | cd melange
22 | ```
23 | 
24 | Run the image, mounting the repo workspace (`--privileged` flag required):
25 | 
26 | ```
27 | docker run --privileged --rm -it -v "${PWD}:${PWD}" -w "${PWD}" ghcr.io/wolfi-dev/sdk
28 | ```
29 | 
30 | Upon entering the image, you should see the following welcome message:
31 | 
32 | ```
33 | 
34 | Welcome to the development environment!
35 | 
36 | 
37 | [sdk] ❯
38 | ```
39 | 
40 | Inside the environment, test out local changes to the melange codebase
41 | by running the following:
42 | 
43 | ```
44 | make melange install
45 | ```
46 | 
47 | Then run melange commands as normal:
48 | 
49 | ```
50 | melange keygen
51 | 
52 | melange build \
53 |   --arch x86_64,arm64 \
54 |   --empty-workspace \
55 |   --repository-append packages \
56 |   --signing-key melange.rsa \
57 |   examples/gnu-hello.yaml
58 | ```
59 | 
60 | ### With apko
61 | 
62 | Clone down your development fork/branch:
63 | 
64 | ```
65 | git clone https://github.com/chainguard-dev/apko.git
66 | cd apko
67 | ```
68 | 
69 | Run the image, mounting the repo workspace:
70 | 
71 | ```
72 | docker run --rm -it -v "${PWD}:${PWD}" -w "${PWD}" ghcr.io/wolfi-dev/sdk
73 | ```
74 | 
75 | Upon entering the image, you should see the following welcome message:
76 | 
77 | ```
78 | 
79 | Welcome to the development environment!
80 | 
81 | 
82 | [sdk] ❯
83 | ```
84 | 
85 | Inside the environment, test out local changes to the apko codebase
86 | by running the following:
87 | 
88 | ```
89 | make apko install
90 | ```
91 | 
92 | Then run apko commands as normal:
93 | 
94 | ```
95 | apko build --debug \
96 |   examples/alpine-base.yaml \
97 |   alpine-base:latest output.tar
98 | ```
99 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # tools
  2 | 
  3 | Various tools, images, etc. to support the Wolfi OSS project
  4 | 
  5 | - [Images](#images)
  6 |   - [alpine-base](#alpine-base)
  7 |   - [apko](#apko)
  8 |   - [busybox](#busybox)
  9 |   - [gcc-musl](#gcc-musl)
 10 |   - [git](#git)
 11 |   - [melange](#melange)
 12 |   - [musl-dynamic](#musl-dynamic)
 13 |   - [sdk](#sdk)
 14 |   - [static](#static)
 15 |   - [wolfictl](#wolfictl)
 16 | 
 17 | ## Images
 18 | 
 19 | ### alpine-base
 20 | 
 21 | The [alpine-base](./images/alpine-base) image is a minimal Alpine-based image containing `apk` and basic tools to get started.
 22 | 
 23 | ```
 24 | ghcr.io/wolfi-dev/alpine-base:latest
 25 | ```
 26 | 
 27 | ### apko
 28 | 
 29 | The [apko](./images/apko) image contains [apko](https://github.com/chainguard-dev/apko).
 30 | 
 31 | ```
 32 | ghcr.io/wolfi-dev/apko:latest
 33 | ```
 34 | 
 35 | ### busybox
 36 | 
 37 | The [busybox](./images/busybox) image contains [busybox](https://busybox.net/) built from Alpine's busybox package.
 38 | 
 39 | ```
 40 | ghcr.io/wolfi-dev/busybox:alpine
 41 | ```
 42 | 
 43 | It's intended as a replacement for `cgr.dev/chainguard/busybox:latest`.
 44 | 
 45 | ### gcc-musl
 46 | 
 47 | The [gcc-musl](./images/gcc-musl) image contains a GCC toolchain built with musl libc from Alpine's packages.
 48 | 
 49 | ```
 50 | ghcr.io/wolfi-dev/gcc-musl:latest
 51 | ```
 52 | 
 53 | ### git
 54 | 
 55 | The [git](./images/git) image contains [git](https://git-scm.com/) built from Alpine's git package.
 56 | 
 57 | ```
 58 | ghcr.io/wolfi-dev/git:alpine
 59 | ghcr.io/wolfi-dev/git:alpine-root
 60 | ```
 61 | 
 62 | It's intended as a replacement for `cgr.dev/chainguard/git:latest` and `cgr.dev/chainguard/git:latest-root`.
 63 | 
 64 | ### melange
 65 | 
 66 | The [melange](./images/melange) image contains
 67 | [melange](https://github.com/chainguard-dev/melange).
 68 | 
 69 | ```
 70 | ghcr.io/wolfi-dev/melange:latest
 71 | ```
 72 | 
 73 | ### musl-dynamic
 74 | 
 75 | The [musl-dynamic](./images/musl-dynamic) image contains a musl libc built from Alpine's packages.
 76 | 
 77 | ```
 78 | ghcr.io/wolfi-dev/musl-dynamic:latest
 79 | ```
 80 | 
 81 | ### sdk
 82 | 
 83 | The [sdk](./images/sdk) image contains melange, apko, wolfictl and other tools such as Go needed to build these projects.
 84 | 
 85 | ```
 86 | ghcr.io/wolfi-dev/sdk:latest
 87 | ```
 88 | 
 89 | ### static
 90 | 
 91 | The [static](./images/static) image contains a minimal static base image built from Alpine's packages.
 92 | 
 93 | ```
 94 | ghcr.io/wolfi-dev/static:alpine
 95 | ```
 96 | 
 97 | It's intended as a replacement for `cgr.dev/chainguard/static:latest`.
 98 | 
 99 | ### wolfictl
100 | 
101 | The [wolfictl](./images/wolfictl) image contains
102 | [wolfictl](https://github.com/wolfi-dev/wolfictl).
103 | 
104 | ```
105 | ghcr.io/wolfi-dev/wolfictl:latest
106 | ```
107 | 


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
  1 | terraform {
  2 |   required_providers {
  3 |     cosign = {
  4 |       source  = "chainguard-dev/cosign"
  5 |       version = "0.1.0"
  6 |     }
  7 |     apko = {
  8 |       source  = "chainguard-dev/apko"
  9 |       version = "0.30.20"
 10 |     }
 11 |     oci = {
 12 |       source  = "chainguard-dev/oci"
 13 |       version = "0.0.25"
 14 |     }
 15 |   }
 16 | 
 17 |   # We don't take advantage of terraform.tfstate, so we don't need to save state anywhere.
 18 |   #
 19 |   # The default "local" backend has pathological performance as state gets large, see:
 20 |   # https://github.com/opentofu/opentofu/issues/578
 21 |   #
 22 |   # Consider removing this if that's ever fixed and/or if we want to use tfstate.
 23 |   backend "inmem" {}
 24 | }
 25 | 
 26 | variable "target_repository" {
 27 |   type        = string
 28 |   description = "The root repo into which the images should be published (e.g., cgr.dev/chainguard). Individual images will be published within this root repo."
 29 | }
 30 | 
 31 | variable "archs" {
 32 |   type        = list(string)
 33 |   default     = []
 34 |   description = "The architectures to build for. If empty, defaults to x86_64 and aarch64."
 35 | }
 36 | 
 37 | provider "apko" {
 38 |   extra_repositories = ["https://packages.wolfi.dev/os"]
 39 |   extra_keyring      = ["https://packages.wolfi.dev/os/wolfi-signing.rsa.pub"]
 40 |   extra_packages     = ["wolfi-baselayout"]
 41 |   default_archs      = length(var.archs) == 0 ? ["x86_64", "aarch64"] : var.archs
 42 | }
 43 | 
 44 | provider "apko" {
 45 |   alias = "alpine"
 46 | 
 47 |   extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/main"]
 48 |   extra_packages     = ["alpine-baselayout-data", "alpine-release", "ca-certificates-bundle"]
 49 |   // Don't build for riscv64, 386, arm/v6
 50 |   // Only build for: amd64, arm/v7, arm64, ppc64le, s390x
 51 |   default_archs = length(var.archs) == 0 ? ["amd64", "arm/v7", "arm64", "ppc64le", "s390x"] : var.archs
 52 | }
 53 | 
 54 | module "alpine-base" {
 55 |   source            = "./images/alpine-base"
 56 |   target_repository = "${var.target_repository}/alpine-base"
 57 |   providers         = { apko.alpine = apko.alpine }
 58 | }
 59 | 
 60 | module "apko" {
 61 |   source            = "./images/apko"
 62 |   target_repository = "${var.target_repository}/apko"
 63 | }
 64 | 
 65 | module "busybox" {
 66 |   source            = "./images/busybox"
 67 |   target_repository = "${var.target_repository}/busybox"
 68 |   providers         = { apko.alpine = apko.alpine }
 69 | }
 70 | 
 71 | module "gcc-musl" {
 72 |   source            = "./images/gcc-musl"
 73 |   target_repository = "${var.target_repository}/gcc-musl"
 74 |   providers         = { apko.alpine = apko.alpine }
 75 | }
 76 | 
 77 | module "git" {
 78 |   source            = "./images/git"
 79 |   target_repository = "${var.target_repository}/git"
 80 |   providers         = { apko.alpine = apko.alpine }
 81 | }
 82 | 
 83 | module "musl-dynamic" {
 84 |   source            = "./images/musl-dynamic"
 85 |   target_repository = "${var.target_repository}/musl-dynamic"
 86 |   providers         = { apko.alpine = apko.alpine }
 87 | }
 88 | 
 89 | module "sdk" {
 90 |   source            = "./images/sdk"
 91 |   target_repository = "${var.target_repository}/sdk"
 92 | }
 93 | 
 94 | module "static" {
 95 |   source            = "./images/static"
 96 |   target_repository = "${var.target_repository}/static"
 97 |   providers         = { apko.alpine = apko.alpine }
 98 | }
 99 | 
100 | module "spdx-tools" {
101 |   source            = "./images/spdx-tools"
102 |   target_repository = "${var.target_repository}/spdx-tools"
103 | }
104 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------