From 76db885e0d82020926b6c9e8997801decbf69dd0 Mon Sep 17 00:00:00 2001
From: Jason Hall <jason@chainguard.dev>
Date: Mon, 18 Mar 2024 16:20:13 -0400
Subject: [PATCH 1/3] Migrate alpine images to this repo (#99)

* migrate alpine images to this repo

Signed-off-by: Jason Hall <jason@chainguard.dev>

* update README

Signed-off-by: Jason Hall <jason@chainguard.dev>

---------

Signed-off-by: Jason Hall <jason@chainguard.dev>
---
 .github/workflows/presubmit-build.yaml        | 16 ++++
 .github/workflows/release.yaml                | 18 +++++
 README.md                                     | 76 ++++++++++++++++---
 images/busybox/alpine.tf                      | 18 +++++
 images/busybox/config/alpine/main.tf          | 28 +++++++
 images/busybox/main.tf                        | 30 ++++++++
 images/busybox/tests/main.tf                  | 14 ++++
 images/busybox/tests/runs.sh                  | 21 +++++
 images/git/alpine.tf                          | 23 ++++++
 images/git/config/main.tf                     | 46 +++++++++++
 images/git/main.tf                            | 40 ++++++++++
 images/git/tests/main.tf                      | 30 ++++++++
 images/git/tests/repo-clone.sh                | 18 +++++
 images/static/alpine.tf                       | 15 ++++
 images/static/configs/alpine.apko.yaml        | 13 ++++
 images/static/examples/Dockerfile.c           | 11 +++
 images/static/examples/Dockerfile.golang      | 10 +++
 images/static/examples/Dockerfile.rust        | 11 +++
 images/static/examples/hello.c                |  6 ++
 images/static/examples/main.go                |  7 ++
 images/static/main.tf                         | 30 ++++++++
 .../static/tests/01-multi-dockerfile-build.sh | 15 ++++
 images/static/tests/main.tf                   | 15 ++++
 23 files changed, 501 insertions(+), 10 deletions(-)
 create mode 100644 images/busybox/alpine.tf
 create mode 100644 images/busybox/config/alpine/main.tf
 create mode 100644 images/busybox/main.tf
 create mode 100644 images/busybox/tests/main.tf
 create mode 100755 images/busybox/tests/runs.sh
 create mode 100644 images/git/alpine.tf
 create mode 100644 images/git/config/main.tf
 create mode 100644 images/git/main.tf
 create mode 100644 images/git/tests/main.tf
 create mode 100755 images/git/tests/repo-clone.sh
 create mode 100644 images/static/alpine.tf
 create mode 100644 images/static/configs/alpine.apko.yaml
 create mode 100644 images/static/examples/Dockerfile.c
 create mode 100644 images/static/examples/Dockerfile.golang
 create mode 100644 images/static/examples/Dockerfile.rust
 create mode 100644 images/static/examples/hello.c
 create mode 100644 images/static/examples/main.go
 create mode 100644 images/static/main.tf
 create mode 100755 images/static/tests/01-multi-dockerfile-build.sh
 create mode 100644 images/static/tests/main.tf

diff --git a/.github/workflows/presubmit-build.yaml b/.github/workflows/presubmit-build.yaml
index 6ee2db65..dad7a7dd 100644
--- a/.github/workflows/presubmit-build.yaml
+++ b/.github/workflows/presubmit-build.yaml
@@ -42,3 +42,19 @@ jobs:
     uses: ./.github/workflows/.build.yaml
     with:
       image: wolfictl
+
+  static-alpine:
+    uses: ./.github/workflows/.build.yaml
+    with:
+      image: static
+
+
+  git-alpine:
+    uses: ./.github/workflows/.build.yaml
+    with:
+      image: git
+
+  busybox-alpine:
+    uses: ./.github/workflows/.build.yaml
+    with:
+      image: busybox
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index e086349c..9b33f664 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -58,3 +58,21 @@ jobs:
     with:
       image: wolfictl
       registry: ghcr.io/wolfi-dev/wolfictl
+
+  static-alpibe:
+    uses: ./.github/workflows/.build.yaml
+    with:
+      image: static
+      registry: ghcr.io/wolfi-dev/static
+
+  static-git:
+    uses: ./.github/workflows/.build.yaml
+    with:
+      image: git
+      registry: ghcr.io/wolfi-dev/git
+
+  static-busybox:
+    uses: ./.github/workflows/.build.yaml
+    with:
+      image: busybox
+      registry: ghcr.io/wolfi-dev/busybox
diff --git a/README.md b/README.md
index 74b2f4e1..72a8549a 100644
--- a/README.md
+++ b/README.md
@@ -3,34 +3,64 @@
 Various tools, images, etc. to support the Wolfi OSS project
 
 - [Images](#images)
-  - [sdk](#sdk)
+  - [alpine-base](#alpine-base)
   - [apko](#apko)
+  - [busybox](#busybox)
+  - [gcc-musl](#gcc-musl)
+  - [git](#git)
   - [melange](#melange)
+  - [musl-dynamic](#musl-dynamic)
+  - [sdk](#sdk)
+  - [static](#static)
   - [wolfictl](#wolfictl)
 
 ## Images
 
-### sdk
+### alpine-base
 
-The [sdk](./images/sdk) image contains melange, apko,
-wolfictl and other tools such as Go needed to build these projects.
-
-This image is also used by [dag](https://github.com/wolfi-dev/dag)
-to build Wolfi packages for ARM etc.
+The [alpine-base](./images/alpine-base) image is a minimal Alpine-based image containing `apk` and basic tools to get started.
 
 ```
-ghcr.io/wolfi-dev/sdk:latest
+ghcr.io/wolfi-dev/alpine-base:latest
 ```
 
 ### apko
 
-The [apko](./images/apko) image contains
-[apko](https://github.com/chainguard-dev/apko).
+The [apko](./images/apko) image contains [apko](https://github.com/chainguard-dev/apko).
 
 ```
 ghcr.io/wolfi-dev/apko:latest
 ```
 
+### busybox
+
+The [busybox](./images/busybox) image contains [busybox](https://busybox.net/) built from Alpine's busybox package.
+
+```
+ghcr.io/wolfi-dev/busybox:alpine
+```
+
+It's intended as a replacement for `cgr.dev/chainguard/busybox:latest`.
+
+### gcc-musl
+
+The [gcc-musl](./images/gcc-musl) image contains a GCC toolchain built with musl libc from Alpine's packages.
+
+```
+ghcr.io/wolfi-dev/gcc-musl:latest
+```
+
+### git
+
+The [git](./images/git) image contains [git](https://git-scm.com/) built from Alpine's git package.
+
+```
+ghcr.io/wolfi-dev/git:alpine
+ghcr.io/wolfi-dev/git:alpine-root
+```
+
+It's intended as a replacement for `cgr.dev/chainguard/git:latest` and `cgr.dev/chainguard/git:latest-root`.
+
 ### melange
 
 The [melange](./images/melange) image contains
@@ -40,6 +70,32 @@ The [melange](./images/melange) image contains
 ghcr.io/wolfi-dev/melange:latest
 ```
 
+### musl-dynamic
+
+The [musl-dynamic](./images/musl-dynamic) image contains a musl libc built from Alpine's packages.
+
+```
+ghcr.io/wolfi-dev/musl-dynamic:latest
+```
+
+### sdk
+
+The [sdk](./images/sdk) image contains melange, apko, wolfictl and other tools such as Go needed to build these projects.
+
+```
+ghcr.io/wolfi-dev/sdk:latest
+```
+
+### static
+
+The [static](./images/static) image contains a minimal static base image built from Alpine's packages.
+
+```
+ghcr.io/wolfi-dev/static:alpine
+```
+
+It's intended as a replacement for `cgr.dev/chainguard/static:latest`.
+
 ### wolfictl
 
 The [wolfictl](./images/wolfictl) image contains
diff --git a/images/busybox/alpine.tf b/images/busybox/alpine.tf
new file mode 100644
index 00000000..304572fa
--- /dev/null
+++ b/images/busybox/alpine.tf
@@ -0,0 +1,18 @@
+module "alpine" { source = "./config/alpine" }
+
+module "latest-alpine" {
+  providers = {
+    apko = apko.alpine
+  }
+  source = "../../tflib/publisher"
+
+  target_repository = var.target_repository
+  config            = module.alpine.config
+  # Override the module's default wolfi packages that conflict with alpine
+  extra_packages = []
+}
+
+module "test-latest-alpine" {
+  source = "./tests"
+  digest = module.latest-alpine.image_ref
+}
diff --git a/images/busybox/config/alpine/main.tf b/images/busybox/config/alpine/main.tf
new file mode 100644
index 00000000..bed8ece5
--- /dev/null
+++ b/images/busybox/config/alpine/main.tf
@@ -0,0 +1,28 @@
+variable "extra_packages" {
+  description = "Extra packages to install."
+  type        = list(string)
+  default     = []
+}
+
+output "config" {
+  value = jsonencode({
+    contents = {
+      packages = concat([
+        "busybox",
+        "ssl_client", # ssl_client allows the busybox wget applet to use https.
+      ], var.extra_packages)
+    }
+    accounts = {
+      groups = [{
+        groupname = "nonroot"
+        gid       = 65532
+      }]
+      users = [{
+        username = "nonroot"
+        uid      = 65532
+        gid      = 65532
+      }]
+      run-as = 65532
+    }
+  })
+}
diff --git a/images/busybox/main.tf b/images/busybox/main.tf
new file mode 100644
index 00000000..01d8ae9e
--- /dev/null
+++ b/images/busybox/main.tf
@@ -0,0 +1,30 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+    apko = {
+      source                = "chainguard-dev/apko"
+      configuration_aliases = [apko.alpine]
+    }
+  }
+}
+
+provider "apko" {
+  alias = "alpine"
+
+  extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/main"]
+  # These packages match chainguard-images/static
+  extra_packages = ["alpine-baselayout-data", "alpine-release", "ca-certificates-bundle"]
+  // Don't build for riscv64, 386, arm/v6
+  // Only build for: amd64, arm/v7, arm64, ppc64le, s390x
+  default_archs = ["amd64", "arm/v7", "arm64", "ppc64le", "s390x"]
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+resource "oci_tag" "alpine" {
+  depends_on = [module.test-latest-alpine]
+  digest_ref = module.latest-alpine.image_ref
+  tag        = "alpine"
+}
diff --git a/images/busybox/tests/main.tf b/images/busybox/tests/main.tf
new file mode 100644
index 00000000..25d2af27
--- /dev/null
+++ b/images/busybox/tests/main.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+  }
+}
+
+variable "digest" {
+  description = "The image digest to run tests over."
+}
+
+data "oci_exec_test" "runs" {
+  digest = var.digest
+  script = "${path.module}/runs.sh"
+}
diff --git a/images/busybox/tests/runs.sh b/images/busybox/tests/runs.sh
new file mode 100755
index 00000000..3e3db57a
--- /dev/null
+++ b/images/busybox/tests/runs.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -o errexit -o nounset -o errtrace -o pipefail -x
+
+docker run --rm $IMAGE_NAME ls >/dev/null
+
+# The image runs as nonroot by default.
+docker run --rm --entrypoint '' $IMAGE_NAME whoami | grep "^nonroot$"
+
+# The image contains many common utilities (some in /usr/bin and some in /bin)
+for cmd in awk basename cat chmod chown cp cut date dirname du echo egrep expr find grep head id ln ls mkdir mktemp mv printf pwd rm rmdir sed sh sort tail tar tee test touch tr uname uniq wc xargs; do
+	docker run --rm $IMAGE_NAME which $cmd | grep "/bin/$cmd$"
+done
+
+# The image can be used as a base image.
+cat <<EOF | docker build -t version -
+FROM ${IMAGE_NAME}
+RUN busybox
+ENTRYPOINT ["busybox"]
+EOF
+docker run --rm version | grep "BusyBox .* multi-call binary."
diff --git a/images/git/alpine.tf b/images/git/alpine.tf
new file mode 100644
index 00000000..144efdf1
--- /dev/null
+++ b/images/git/alpine.tf
@@ -0,0 +1,23 @@
+module "alpine" {
+  for_each           = local.accounts
+  source             = "./config"
+  root               = each.key == "root"
+  extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/community"]
+}
+
+module "latest-alpine" {
+  providers = {
+    apko = apko.alpine
+  }
+  for_each          = local.accounts
+  source            = "../../tflib/publisher"
+  target_repository = var.target_repository
+  config            = module.alpine[each.key].config
+  extra_packages    = [] // Don't add wolfi-baselayout
+}
+
+module "test-latest-alpine" {
+  for_each = local.accounts
+  source   = "./tests"
+  digest   = module.latest-alpine[each.key].image_ref
+}
diff --git a/images/git/config/main.tf b/images/git/config/main.tf
new file mode 100644
index 00000000..92ca4bb7
--- /dev/null
+++ b/images/git/config/main.tf
@@ -0,0 +1,46 @@
+variable "extra_packages" {
+  description = "Extra packages to install."
+  type        = list(string)
+  default     = []
+}
+
+variable "extra_repositories" {
+  description = "Extra repositories to add."
+  type        = list(string)
+  default     = []
+}
+
+variable "root" {
+  description = "Whether to run as root."
+  type        = bool
+  default     = false
+}
+
+output "config" {
+  value = jsonencode({
+    contents = {
+      repositories = var.extra_repositories
+      packages = concat([
+        "git",
+        "git-lfs",
+        "openssh-client",
+      ], var.extra_packages)
+    }
+    accounts = {
+      groups = [{
+        groupname = "git"
+        gid       = 65532
+      }]
+      users = [{
+        username = "git"
+        uid      = 65532
+        gid      = 65532
+      }]
+      run-as = var.root ? 0 : 65532
+    }
+    entrypoint = {
+      command = "/usr/bin/git"
+    }
+    work-dir = "/home/git"
+  })
+}
diff --git a/images/git/main.tf b/images/git/main.tf
new file mode 100644
index 00000000..9b0714cf
--- /dev/null
+++ b/images/git/main.tf
@@ -0,0 +1,40 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+    apko = {
+      source                = "chainguard-dev/apko"
+      configuration_aliases = [apko.alpine]
+    }
+  }
+}
+
+provider "apko" {
+  alias = "alpine"
+
+  extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/main"]
+  # These packages match chainguard-images/static
+  extra_packages = ["alpine-baselayout-data", "alpine-release", "ca-certificates-bundle"]
+  // Don't build for riscv64, 386, arm/v6
+  // Only build for: amd64, arm/v7, arm64, ppc64le, s390x
+  default_archs = ["amd64", "arm/v7", "arm64", "ppc64le", "s390x"]
+}
+
+locals {
+  accounts = toset(["nonroot", "root"])
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+resource "oci_tag" "alpine" {
+  depends_on = [module.test-latest-alpine]
+  digest_ref = module.latest-alpine["nonroot"].image_ref
+  tag        = "alpine"
+}
+
+resource "oci_tag" "alpine-root" {
+  depends_on = [module.test-latest-alpine]
+  digest_ref = module.latest-alpine["root"].image_ref
+  tag        = "alpine-root"
+}
diff --git a/images/git/tests/main.tf b/images/git/tests/main.tf
new file mode 100644
index 00000000..a154c346
--- /dev/null
+++ b/images/git/tests/main.tf
@@ -0,0 +1,30 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+  }
+}
+
+variable "digest" {
+  description = "The image digest to run tests over."
+}
+
+variable "check-dev" {
+  default = false
+}
+
+data "oci_exec_test" "version" {
+  digest = var.digest
+  script = "docker run --rm $IMAGE_NAME --version"
+}
+
+data "oci_exec_test" "submodule" {
+  count = var.check-dev ? 1 : 0
+
+  digest = var.digest
+  script = "docker run --rm $IMAGE_NAME submodule -h"
+}
+
+data "oci_exec_test" "clone" {
+  digest = var.digest
+  script = "${path.module}/repo-clone.sh"
+}
diff --git a/images/git/tests/repo-clone.sh b/images/git/tests/repo-clone.sh
new file mode 100755
index 00000000..801a2069
--- /dev/null
+++ b/images/git/tests/repo-clone.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+set -o errexit -o nounset -o errtrace -o pipefail -x
+
+CLONE_URL=${CLONE_URL:-"https://github.com/chainguard-images/.github.git"}
+
+CLONEDIR="$(mktemp -d)"
+chmod go+wrx "${CLONEDIR}"
+
+# TODO: re-enable this delete. After performing the clone
+# in some cases, this results in a "permission denied" error
+# trap "rm -rf ${CLONEDIR}" EXIT
+
+# Try cloning a repo and check for README.md
+pushd "${CLONEDIR}"
+docker run --rm -v "${PWD}":/w -w /w $IMAGE_NAME clone --depth 1 $CLONE_URL .
+popd
+find "${CLONEDIR}/README.md" && echo "Smoketest passed."
diff --git a/images/static/alpine.tf b/images/static/alpine.tf
new file mode 100644
index 00000000..26c57ada
--- /dev/null
+++ b/images/static/alpine.tf
@@ -0,0 +1,15 @@
+module "alpine" {
+  providers = {
+    apko = apko.alpine
+  }
+  source = "../../tflib/publisher"
+
+  target_repository = var.target_repository
+  config            = file("${path.module}/configs/alpine.apko.yaml")
+  extra_packages    = [] # Override the default, which includes `wolfi-baselayout`
+}
+
+module "test-alpine" {
+  source = "./tests"
+  digest = module.alpine.image_ref
+}
diff --git a/images/static/configs/alpine.apko.yaml b/images/static/configs/alpine.apko.yaml
new file mode 100644
index 00000000..aff68768
--- /dev/null
+++ b/images/static/configs/alpine.apko.yaml
@@ -0,0 +1,13 @@
+contents:
+  packages:
+    - tzdata
+
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 65532
+  run-as: 65532
diff --git a/images/static/examples/Dockerfile.c b/images/static/examples/Dockerfile.c
new file mode 100644
index 00000000..b0cbe7a1
--- /dev/null
+++ b/images/static/examples/Dockerfile.c
@@ -0,0 +1,11 @@
+ARG BASE=cgr.dev/chainguard/static
+
+FROM cgr.dev/chainguard/gcc-glibc as build
+
+COPY hello.c /hello.c
+RUN cc -static /hello.c -o /hello
+
+FROM $BASE
+
+COPY --from=build /hello /usr/local/bin/
+CMD ["hello"]
diff --git a/images/static/examples/Dockerfile.golang b/images/static/examples/Dockerfile.golang
new file mode 100644
index 00000000..03b6d3cd
--- /dev/null
+++ b/images/static/examples/Dockerfile.golang
@@ -0,0 +1,10 @@
+ARG BASE=cgr.dev/chainguard/static
+
+FROM cgr.dev/chainguard/go as build
+
+COPY main.go /main.go
+RUN CGO_ENABLED=0 go build -o /hello /main.go
+
+FROM $BASE
+COPY --from=build /hello /usr/local/bin/
+CMD ["hello"]
diff --git a/images/static/examples/Dockerfile.rust b/images/static/examples/Dockerfile.rust
new file mode 100644
index 00000000..f0b3b437
--- /dev/null
+++ b/images/static/examples/Dockerfile.rust
@@ -0,0 +1,11 @@
+ARG BASE=cgr.dev/chainguard/static
+
+FROM cgr.dev/chainguard/rust as build
+
+RUN echo 'fn main() { println!("Hello"); }' > hello.rs
+RUN rustc -C target-feature=+crt-static hello.rs
+
+FROM $BASE
+
+COPY --from=build /work/hello /usr/local/bin/
+CMD ["hello"]
diff --git a/images/static/examples/hello.c b/images/static/examples/hello.c
new file mode 100644
index 00000000..c461cda8
--- /dev/null
+++ b/images/static/examples/hello.c
@@ -0,0 +1,6 @@
+#include <stdio.h>
+
+int main() { 
+    printf("Hello!\n"); 
+    return 0;
+}
diff --git a/images/static/examples/main.go b/images/static/examples/main.go
new file mode 100644
index 00000000..44ee7ea6
--- /dev/null
+++ b/images/static/examples/main.go
@@ -0,0 +1,7 @@
+package main
+
+import "fmt"
+
+func main() {
+	fmt.Println("Hello!")
+}
diff --git a/images/static/main.tf b/images/static/main.tf
new file mode 100644
index 00000000..85f673f2
--- /dev/null
+++ b/images/static/main.tf
@@ -0,0 +1,30 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+    apko = {
+      source                = "chainguard-dev/apko"
+      configuration_aliases = [apko.alpine]
+    }
+  }
+}
+
+provider "apko" {
+  alias = "alpine"
+
+  extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/main"]
+  # These packages match chainguard-images/static
+  extra_packages = ["alpine-baselayout-data", "alpine-release", "ca-certificates-bundle"]
+  // Don't build for riscv64, 386, arm/v6
+  // Only build for: amd64, arm/v7, arm64, ppc64le, s390x
+  default_archs = ["amd64", "arm/v7", "arm64", "ppc64le", "s390x"]
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+resource "oci_tag" "alpine" {
+  depends_on = [module.test-alpine]
+  digest_ref = module.alpine.image_ref
+  tag        = "alpine"
+}
diff --git a/images/static/tests/01-multi-dockerfile-build.sh b/images/static/tests/01-multi-dockerfile-build.sh
new file mode 100755
index 00000000..4517ff66
--- /dev/null
+++ b/images/static/tests/01-multi-dockerfile-build.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -o errexit -o nounset -o errtrace -o pipefail -x
+
+cd "$(dirname ${BASH_SOURCE[0]})/.."
+
+# Using registry.local:5000 as the BASE arg in `docker build` fails with
+# current versions of docker that use containerd under the hood.
+# Pre-pulling it uses docker's heuristics for allowing insecure registries.
+docker pull ${IMAGE_NAME}
+
+for lang in c golang rust; do
+  docker build --build-arg BASE=${IMAGE_NAME} --tag smoke-test-${lang}-${FREE_PORT} --file examples/Dockerfile.${lang} examples
+  docker run --rm smoke-test-${lang}-${FREE_PORT}
+done
diff --git a/images/static/tests/main.tf b/images/static/tests/main.tf
new file mode 100644
index 00000000..af2d8cfa
--- /dev/null
+++ b/images/static/tests/main.tf
@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+  }
+}
+
+variable "digest" {
+  description = "The image digest to run tests over."
+}
+
+data "oci_exec_test" "version" {
+  digest      = var.digest
+  script      = "./01-multi-dockerfile-build.sh"
+  working_dir = path.module
+}

From 222d41d0b08712fdd5d783abc4795dfc4c55e764 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 20 Mar 2024 13:34:22 +0000
Subject: [PATCH 2/3] Bump chainguard-dev/cosign from 0.0.17 to 0.0.19 in
 /tflib/publisher

Bumps [chainguard-dev/cosign](https://github.com/chainguard-dev/terraform-provider-cosign) from 0.0.17 to 0.0.19.
- [Release notes](https://github.com/chainguard-dev/terraform-provider-cosign/releases)
- [Changelog](https://github.com/chainguard-dev/terraform-provider-cosign/blob/main/.goreleaser.yml)
- [Commits](https://github.com/chainguard-dev/terraform-provider-cosign/compare/v0.0.17...v0.0.19)

---
updated-dependencies:
- dependency-name: chainguard-dev/cosign
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 tflib/publisher/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tflib/publisher/main.tf b/tflib/publisher/main.tf
index 7f473cd3..2a62599e 100644
--- a/tflib/publisher/main.tf
+++ b/tflib/publisher/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     cosign = {
       source  = "chainguard-dev/cosign"
-      version = "0.0.17"
+      version = "0.0.19"
     }
     apko = {
       source  = "chainguard-dev/apko"

From 0f8e32d4cb467d081bb257de1d2a61b4403fae0e Mon Sep 17 00:00:00 2001
From: Jon Johnson <jon.johnson@chainguard.dev>
Date: Tue, 19 Mar 2024 13:41:47 -0700
Subject: [PATCH 3/3] Bump all the tf stuff

Signed-off-by: Jon Johnson <jon.johnson@chainguard.dev>
---
 images/static/alpine.tf |  1 +
 tflib/publisher/main.tf | 11 +++++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/images/static/alpine.tf b/images/static/alpine.tf
index 26c57ada..832f2911 100644
--- a/images/static/alpine.tf
+++ b/images/static/alpine.tf
@@ -7,6 +7,7 @@ module "alpine" {
   target_repository = var.target_repository
   config            = file("${path.module}/configs/alpine.apko.yaml")
   extra_packages    = [] # Override the default, which includes `wolfi-baselayout`
+  check_sbom        = false
 }
 
 module "test-alpine" {
diff --git a/tflib/publisher/main.tf b/tflib/publisher/main.tf
index 2a62599e..4c937263 100644
--- a/tflib/publisher/main.tf
+++ b/tflib/publisher/main.tf
@@ -6,7 +6,7 @@ terraform {
     }
     apko = {
       source  = "chainguard-dev/apko"
-      version = "0.13.0"
+      version = "0.15.2"
     }
   }
 }
@@ -20,13 +20,20 @@ variable "extra_packages" {
   default = ["wolfi-baselayout"]
 }
 
+variable "check_sbom" {
+  type        = bool
+  default     = false
+  description = "Whether to run the NTIA conformance checker over the images we produce prior to attesting the SBOMs."
+}
+
 module "this" {
   source  = "chainguard-dev/apko/publisher"
-  version = "0.0.10"
+  version = "0.0.12"
 
   target_repository = var.target_repository
   config            = var.config
   extra_packages    = var.extra_packages
+  check_sbom        = var.check_sbom
 }
 
 output "image_ref" {