Merge branch 'main' into dependabot/github_actions/actions/upload-art…

…ifact-4

.github/workflows/presubmit-build.yaml

@@ -42,3 +42,19 @@ jobs:
     uses: ./.github/workflows/.build.yaml
     with:
       image: wolfictl
+
+  static-alpine:
+    uses: ./.github/workflows/.build.yaml
+    with:
+      image: static
+
+
+  git-alpine:
+    uses: ./.github/workflows/.build.yaml
+    with:
+      image: git
+
+  busybox-alpine:
+    uses: ./.github/workflows/.build.yaml
+    with:
+      image: busybox

.github/workflows/release.yaml

@@ -58,3 +58,21 @@ jobs:
     with:
       image: wolfictl
       registry: ghcr.io/wolfi-dev/wolfictl
+
+  static-alpibe:
+    uses: ./.github/workflows/.build.yaml
+    with:
+      image: static
+      registry: ghcr.io/wolfi-dev/static
+
+  static-git:
+    uses: ./.github/workflows/.build.yaml
+    with:
+      image: git
+      registry: ghcr.io/wolfi-dev/git
+
+  static-busybox:
+    uses: ./.github/workflows/.build.yaml
+    with:
+      image: busybox
+      registry: ghcr.io/wolfi-dev/busybox

README.md

@@ -3,34 +3,64 @@
 Various tools, images, etc. to support the Wolfi OSS project
 
 - [Images](#images)
-  - [sdk](#sdk)
+  - [alpine-base](#alpine-base)
   - [apko](#apko)
+  - [busybox](#busybox)
+  - [gcc-musl](#gcc-musl)
+  - [git](#git)
   - [melange](#melange)
+  - [musl-dynamic](#musl-dynamic)
+  - [sdk](#sdk)
+  - [static](#static)
   - [wolfictl](#wolfictl)
 
 ## Images
 
-### sdk
+### alpine-base
 
-The [sdk](./images/sdk) image contains melange, apko,
-wolfictl and other tools such as Go needed to build these projects.
-
-This image is also used by [dag](https://github.com/wolfi-dev/dag)
-to build Wolfi packages for ARM etc.
+The [alpine-base](./images/alpine-base) image is a minimal Alpine-based image containing `apk` and basic tools to get started.
 
 ```
-ghcr.io/wolfi-dev/sdk:latest
+ghcr.io/wolfi-dev/alpine-base:latest
 ```
 
 ### apko
 
-The [apko](./images/apko) image contains
-[apko](https://github.com/chainguard-dev/apko).
+The [apko](./images/apko) image contains [apko](https://github.com/chainguard-dev/apko).
 
 ```
 ghcr.io/wolfi-dev/apko:latest
 ```
 
+### busybox
+
+The [busybox](./images/busybox) image contains [busybox](https://busybox.net/) built from Alpine's busybox package.
+
+```
+ghcr.io/wolfi-dev/busybox:alpine
+```
+
+It's intended as a replacement for `cgr.dev/chainguard/busybox:latest`.
+
+### gcc-musl
+
+The [gcc-musl](./images/gcc-musl) image contains a GCC toolchain built with musl libc from Alpine's packages.
+
+```
+ghcr.io/wolfi-dev/gcc-musl:latest
+```
+
+### git
+
+The [git](./images/git) image contains [git](https://git-scm.com/) built from Alpine's git package.
+
+```
+ghcr.io/wolfi-dev/git:alpine
+ghcr.io/wolfi-dev/git:alpine-root
+```
+
+It's intended as a replacement for `cgr.dev/chainguard/git:latest` and `cgr.dev/chainguard/git:latest-root`.
+
 ### melange
 
 The [melange](./images/melange) image contains
@@ -40,6 +70,32 @@ The [melange](./images/melange) image contains
 ghcr.io/wolfi-dev/melange:latest
 ```
 
+### musl-dynamic
+
+The [musl-dynamic](./images/musl-dynamic) image contains a musl libc built from Alpine's packages.
+
+```
+ghcr.io/wolfi-dev/musl-dynamic:latest
+```
+
+### sdk
+
+The [sdk](./images/sdk) image contains melange, apko, wolfictl and other tools such as Go needed to build these projects.
+
+```
+ghcr.io/wolfi-dev/sdk:latest
+```
+
+### static
+
+The [static](./images/static) image contains a minimal static base image built from Alpine's packages.
+
+```
+ghcr.io/wolfi-dev/static:alpine
+```
+
+It's intended as a replacement for `cgr.dev/chainguard/static:latest`.
+
 ### wolfictl
 
 The [wolfictl](./images/wolfictl) image contains

images/busybox/alpine.tf

@@ -0,0 +1,18 @@
+module "alpine" { source = "./config/alpine" }
+
+module "latest-alpine" {
+  providers = {
+    apko = apko.alpine
+  }
+  source = "../../tflib/publisher"
+
+  target_repository = var.target_repository
+  config            = module.alpine.config
+  # Override the module's default wolfi packages that conflict with alpine
+  extra_packages = []
+}
+
+module "test-latest-alpine" {
+  source = "./tests"
+  digest = module.latest-alpine.image_ref
+}

images/busybox/config/alpine/main.tf

@@ -0,0 +1,28 @@
+variable "extra_packages" {
+  description = "Extra packages to install."
+  type        = list(string)
+  default     = []
+}
+
+output "config" {
+  value = jsonencode({
+    contents = {
+      packages = concat([
+        "busybox",
+        "ssl_client", # ssl_client allows the busybox wget applet to use https.
+      ], var.extra_packages)
+    }
+    accounts = {
+      groups = [{
+        groupname = "nonroot"
+        gid       = 65532
+      }]
+      users = [{
+        username = "nonroot"
+        uid      = 65532
+        gid      = 65532
+      }]
+      run-as = 65532
+    }
+  })
+}

images/busybox/main.tf

@@ -0,0 +1,30 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+    apko = {
+      source                = "chainguard-dev/apko"
+      configuration_aliases = [apko.alpine]
+    }
+  }
+}
+
+provider "apko" {
+  alias = "alpine"
+
+  extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/main"]
+  # These packages match chainguard-images/static
+  extra_packages = ["alpine-baselayout-data", "alpine-release", "ca-certificates-bundle"]
+  // Don't build for riscv64, 386, arm/v6
+  // Only build for: amd64, arm/v7, arm64, ppc64le, s390x
+  default_archs = ["amd64", "arm/v7", "arm64", "ppc64le", "s390x"]
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+resource "oci_tag" "alpine" {
+  depends_on = [module.test-latest-alpine]
+  digest_ref = module.latest-alpine.image_ref
+  tag        = "alpine"
+}

images/busybox/tests/main.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+  }
+}
+
+variable "digest" {
+  description = "The image digest to run tests over."
+}
+
+data "oci_exec_test" "runs" {
+  digest = var.digest
+  script = "${path.module}/runs.sh"
+}

images/busybox/tests/runs.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -o errexit -o nounset -o errtrace -o pipefail -x
+
+docker run --rm $IMAGE_NAME ls >/dev/null
+
+# The image runs as nonroot by default.
+docker run --rm --entrypoint '' $IMAGE_NAME whoami | grep "^nonroot$"
+
+# The image contains many common utilities (some in /usr/bin and some in /bin)
+for cmd in awk basename cat chmod chown cp cut date dirname du echo egrep expr find grep head id ln ls mkdir mktemp mv printf pwd rm rmdir sed sh sort tail tar tee test touch tr uname uniq wc xargs; do
+	docker run --rm $IMAGE_NAME which $cmd | grep "/bin/$cmd$"
+done
+
+# The image can be used as a base image.
+cat <<EOF | docker build -t version -
+FROM ${IMAGE_NAME}
+RUN busybox
+ENTRYPOINT ["busybox"]
+EOF
+docker run --rm version | grep "BusyBox .* multi-call binary."

images/git/alpine.tf

@@ -0,0 +1,23 @@
+module "alpine" {
+  for_each           = local.accounts
+  source             = "./config"
+  root               = each.key == "root"
+  extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/community"]
+}
+
+module "latest-alpine" {
+  providers = {
+    apko = apko.alpine
+  }
+  for_each          = local.accounts
+  source            = "../../tflib/publisher"
+  target_repository = var.target_repository
+  config            = module.alpine[each.key].config
+  extra_packages    = [] // Don't add wolfi-baselayout
+}
+
+module "test-latest-alpine" {
+  for_each = local.accounts
+  source   = "./tests"
+  digest   = module.latest-alpine[each.key].image_ref
+}

images/git/config/main.tf

@@ -0,0 +1,46 @@
+variable "extra_packages" {
+  description = "Extra packages to install."
+  type        = list(string)
+  default     = []
+}
+
+variable "extra_repositories" {
+  description = "Extra repositories to add."
+  type        = list(string)
+  default     = []
+}
+
+variable "root" {
+  description = "Whether to run as root."
+  type        = bool
+  default     = false
+}
+
+output "config" {
+  value = jsonencode({
+    contents = {
+      repositories = var.extra_repositories
+      packages = concat([
+        "git",
+        "git-lfs",
+        "openssh-client",
+      ], var.extra_packages)
+    }
+    accounts = {
+      groups = [{
+        groupname = "git"
+        gid       = 65532
+      }]
+      users = [{
+        username = "git"
+        uid      = 65532
+        gid      = 65532
+      }]
+      run-as = var.root ? 0 : 65532
+    }
+    entrypoint = {
+      command = "/usr/bin/git"
+    }
+    work-dir = "/home/git"
+  })
+}

images/git/main.tf

@@ -0,0 +1,40 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+    apko = {
+      source                = "chainguard-dev/apko"
+      configuration_aliases = [apko.alpine]
+    }
+  }
+}
+
+provider "apko" {
+  alias = "alpine"
+
+  extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/main"]
+  # These packages match chainguard-images/static
+  extra_packages = ["alpine-baselayout-data", "alpine-release", "ca-certificates-bundle"]
+  // Don't build for riscv64, 386, arm/v6
+  // Only build for: amd64, arm/v7, arm64, ppc64le, s390x
+  default_archs = ["amd64", "arm/v7", "arm64", "ppc64le", "s390x"]
+}
+
+locals {
+  accounts = toset(["nonroot", "root"])
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+resource "oci_tag" "alpine" {
+  depends_on = [module.test-latest-alpine]
+  digest_ref = module.latest-alpine["nonroot"].image_ref
+  tag        = "alpine"
+}
+
+resource "oci_tag" "alpine-root" {
+  depends_on = [module.test-latest-alpine]
+  digest_ref = module.latest-alpine["root"].image_ref
+  tag        = "alpine-root"
+}