diff --git a/.github/workflows/valkey.yaml b/.github/workflows/valkey.yaml new file mode 100644 index 0000000..d19cf93 --- /dev/null +++ b/.github/workflows/valkey.yaml @@ -0,0 +1,39 @@ +name: valkey + +on: + schedule: + - cron: "00 01 * * 1-5" + pull_request: + paths: + - .github/workflows/valkey.yaml + - 'images/valkey/*.yaml' + - 'images/valkey/**/*.yaml' + push: + branches: + - 'main' + paths: + - .github/workflows/valkey.yaml + - 'images/valkey/*.yaml' + - 'images/valkey/**/*.yaml' + workflow_dispatch: + +permissions: + contents: read + packages: write + attestations: write + id-token: write + security-events: write + actions: read + +jobs: + publish: + strategy: + matrix: + version: [latest, "8.1"] + variant: [prod, dev] + name: ${{ matrix.version }}${{ matrix.variant == 'shell' && '-shell' || matrix.variant == 'dev' && '-dev' || '' }} + uses: './.github/workflows/release.yaml' + with: + tag: ${{ matrix.version }}${{ matrix.variant == 'shell' && '-shell' || matrix.variant == 'dev' && '-dev' || '' }} + target: ${{ format('{0}/{1}', matrix.version, matrix.variant) }} + secrets: inherit diff --git a/README.md b/README.md index 6673458..00b8725 100644 --- a/README.md +++ b/README.md @@ -40,3 +40,4 @@ | [redis-bitnami](./images/redis-bitnami/) | `docker pull ghcr.io/gitguardian/wolfi/redis-bitnami` | | [shell](./images/shell/) | `docker pull ghcr.io/gitguardian/wolfi/shell` | | [traefik](./images/traefik/) | `docker pull ghcr.io/gitguardian/wolfi/traefik` | +| [valkey](./images/valkey/) | `docker pull ghcr.io/gitguardian/wolfi/valkey` | diff --git a/images/valkey/8.1/dev.yaml b/images/valkey/8.1/dev.yaml new file mode 100644 index 0000000..4435a12 --- /dev/null +++ b/images/valkey/8.1/dev.yaml @@ -0,0 +1,6 @@ +include: images/valkey/dev.yaml + +contents: + packages: + - valkey-8.1 + - valkey-8.1-cli diff --git a/images/valkey/8.1/prod.yaml b/images/valkey/8.1/prod.yaml new file mode 100644 index 0000000..b341438 --- /dev/null +++ b/images/valkey/8.1/prod.yaml @@ -0,0 +1,6 @@ +include: images/valkey/prod.yaml + +contents: + packages: + - valkey-8.1 + - valkey-8.1-cli diff --git a/images/valkey/README.md b/images/valkey/README.md new file mode 100644 index 0000000..5439f13 --- /dev/null +++ b/images/valkey/README.md @@ -0,0 +1,93 @@ +# Valkey + +Minimal Python image based on Wolfi. + +## Versions + +| 📌 Version | ⬇️ Pull URL | +| ---------- | --------------------------------------------- | +| latest | ghcr.io/gitguardian/wolfi/valkey:latest | +| latest-dev | ghcr.io/gitguardian/wolfi/valkey:latest-dev | +| 8.1 | ghcr.io/gitguardian/wolfi/valkey:8.1 | +| 8.1-dev | ghcr.io/gitguardian/wolfi/valkey:8.1-dev | + + +## ✅ Verify the Provenance + +```shell +gh attestation verify \ + --owner gitguardian \ + oci://ghcr.io/gitguardian/wolfi/valkey:latest +``` + +- **Shell image** + +```shell +gh attestation verify \ + --owner gitguardian \ + oci://ghcr.io/gitguardian/wolfi/valkey:latest-shell +``` + +## 📦 **Image Verification** +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \ + ghcr.io/gitguardian/wolfi/valkey:latest | jq +``` + +- **Shell image** +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \ + ghcr.io/gitguardian/wolfi/valkey:latest-shell | jq +``` + +### 📦 **Image SBOMs** + --type=https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \ + ghcr.io/gitguardian/wolfi/valkey:latest +``` + +- **Shell image** + --type=https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \ + ghcr.io/gitguardian/wolfi/valkey:latest-shell +``` + +This will pull in the signature for the attestation specified by the --type parameter, which in this case is the SPDX attestation. You will receive output that verifies the SBOM attestation signature in cosign's transparency log: + +```shell +Verification for ghcr.io/gitguardian/wolfi/valkey:latest -- +The following checks were performed on each of these signatures: + - The cosign claims were validated + - Existence of the claims in the transparency log was verified offline +Certificate issuer URL: https://token.actions.githubusercontent.com +GitHub Workflow Trigger: push +GitHub Workflow SHA: ced6b3cfab1341509de55bff7c0389ce81f73aae +GitHub Workflow Name: valkey +GitHub Workflow Repository: GitGuardian/wolfi +GitHub Workflow Ref: refs/heads/main +... +``` + +#### ✅ Download the Image SBOM Attestations + +To download an attestation, use the `cosign` download attestation command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the valkey image on `linux/amd64`: + +- **Production image** + +```shell +cosign download attestation \ + --platform=linux/amd64 \ + --predicate-type=https://spdx.dev/Document \ + ghcr.io/gitguardian/wolfi/valkey:latest | jq -r .payload | base64 -d | jq .predicate +``` + +- **Shell image** +cosign download attestation \ + --platform=linux/amd64 \ + --predicate-type=https://spdx.dev/Document \ + ghcr.io/gitguardian/wolfi/valkey:latest-shell | jq -r .payload | base64 -d | jq .predicate +``` diff --git a/images/valkey/dev.yaml b/images/valkey/dev.yaml new file mode 100644 index 0000000..e2855f9 --- /dev/null +++ b/images/valkey/dev.yaml @@ -0,0 +1,12 @@ +include: images/valkey/prod.yaml + +contents: + packages: + - apk-tools + - build-base + - git + - vim + - wolfi-keys + +accounts: + run-as: root diff --git a/images/valkey/latest/dev.yaml b/images/valkey/latest/dev.yaml new file mode 100644 index 0000000..37f98c7 --- /dev/null +++ b/images/valkey/latest/dev.yaml @@ -0,0 +1 @@ +include: images/valkey/8.1/dev.yaml diff --git a/images/valkey/latest/prod.yaml b/images/valkey/latest/prod.yaml new file mode 100644 index 0000000..57d1c84 --- /dev/null +++ b/images/valkey/latest/prod.yaml @@ -0,0 +1 @@ +include: images/valkey/8.1/prod.yaml diff --git a/images/valkey/prod.yaml b/images/valkey/prod.yaml new file mode 100644 index 0000000..42c37f4 --- /dev/null +++ b/images/valkey/prod.yaml @@ -0,0 +1,54 @@ +include: images/apko.yaml + +contents: + packages: + - bash + - busybox + - ca-certificates-bundle + - gosu + - curl + - wolfi-baselayout + +accounts: + groups: + - groupname: valkey + gid: 999 + users: + - username: valkey + uid: 999 + gid: 999 + run-as: valkey + +paths: + - path: /var/lib/valkey + type: directory + permissions: 0o755 + uid: 999 + gid: 999 + - path: /var/lib/valkey/data + type: directory + permissions: 0o755 + uid: 999 + gid: 999 + - path: /etc/valkey + type: directory + permissions: 0o755 + uid: 999 + gid: 999 + - path: /var/log/valkey + type: directory + permissions: 0o755 + uid: 999 + gid: 999 + +work-dir: /var/lib/valkey + +entrypoint: + command: /usr/bin/docker-entrypoint.sh + +cmd: valkey-server /etc/valkey/valkey.conf + +annotations: + org.opencontainers.image.title: 'Valkey' + org.opencontainers.image.description: 'Valkey image based on Wolfi OS' + org.opencontainers.image.source: 'https://github.com/GitGuardian/wolfi/tree/main/images/valkey'