17 Commits

Author	SHA1	Message	Date
Mathias Beaulieu-Duncan	70fc24a7e6	Fix apko install: assign env to shell var before use in URL ... Gitea drops the second ${{ env.APKO_VERSION }} expansion when multiple expressions appear on the same line. Assigning to a shell variable first avoids the bug. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 10:46:09 -05:00
Mathias Beaulieu-Duncan	193ce6f4c6	Upgrade apko from 0.21.0 to 1.1.2 ... Fixes wolfi-baselayout install failure caused by symlink tar entry handling that changed in newer Wolfi packages. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 10:42:01 -05:00
Mathias Beaulieu-Duncan	6593a17aea	Switch provenance back to mode=max for Docker Scout compliance ... Attestations are stored as separate manifests in the OCI index, not in the image layers. Docker pull only fetches the platform manifest, so mode=max does not affect actual pull size. Docker Scout requires max mode for full compliance. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 10:40:49 -05:00
Mathias Beaulieu-Duncan	f9890ff15d	Pin apko version to avoid GitHub API rate limiting ... Dynamic resolution via api.github.com/repos/.../releases/latest hits the 60 req/hour unauthenticated rate limit when 5 matrix variants run across multiple pipelines. Pin to v0.21.0 as a top-level env var for easy updates. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 10:39:48 -05:00
Mathias Beaulieu-Duncan	9e93d02602	Switch provenance from mode=max to mode=min to reduce image size ... mode=max embeds full build logs and environment as attestation layers, roughly doubling the reported image size. mode=min still satisfies provenance compliance with minimal metadata overhead. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 10:36:43 -05:00
Mathias Beaulieu-Duncan	f72130c6bf	Add USER 65532 to generated Dockerfile for non-root compliance ... The FROM scratch + ADD pattern loses apko's OCI config metadata including the run-as user. Adding USER 65532 to the Dockerfile restores the non-root default that Docker Scout checks for. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 10:34:15 -05:00
Mathias Beaulieu-Duncan	7c2d558a35	Replace cosign with docker buildx for SBOM and provenance attestations ... Cosign keyless mode requires OIDC browser auth which is not viable in CI. Switch all three pipelines to use apko build + docker buildx with --sbom=true and --provenance=mode=max for automatic attestation. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 10:29:27 -05:00
Mathias Beaulieu-Duncan	510bfa01b9	Fix provenance: pass only predicate to cosign, not full in-toto statement ... cosign attest --type slsaprovenance expects the predicate JSON only (builder, buildType, invocation, metadata). It wraps it in the in-toto statement envelope itself. Passing the full statement caused cosign to look for builder at the wrong nesting level. Ref: https://github.com/sigstore/cosign/issues/3757 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 10:21:39 -05:00
Mathias Beaulieu-Duncan	b3372fce38	Add versioned tags with auto-incrementing build number ... Each variant now gets a versioned tag alongside -latest: - base/build: glibc version (e.g. base-2.42.1, base-2.42.2) - dotnet-runtime: .NET runtime version (e.g. dotnet-runtime-10.0.0.1) - dotnet-sdk: .NET SDK version (e.g. dotnet-sdk-10.0.100.1) - flutter-sdk: Flutter version (e.g. flutter-sdk-3.38.9.1) The build number auto-increments by querying existing tags on DockerHub. Also fixes provenance JSON (use jq instead of heredoc) and adds push-on-self triggers for publish/rebuild pipelines. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 10:19:42 -05:00
Mathias Beaulieu-Duncan	dcedc113e8	Fix provenance JSON: use jq instead of heredoc to avoid whitespace ... The heredoc with YAML indentation produced JSON with leading spaces, causing cosign to fail with "required field builder missing". Use jq -n with --arg to generate clean JSON. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 10:17:16 -05:00
Mathias Beaulieu-Duncan	2e07c31e99	Add SBOM and provenance attestations via cosign ... Use cosign to attach SPDX SBOM (generated by apko) and SLSA provenance attestations to all published images. Applied to publish, rebuild, and update-check pipelines. Also added push trigger on self-path for rebuild.yaml. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 10:12:47 -05:00
Mathias Beaulieu-Duncan	d6cac3cc8b	Fix apko tar extraction: binary is in a subdirectory ... The tarball contains apko_1.1.2_linux_amd64/apko, not a flat apko binary. Use --strip-components=1 to extract correctly. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 10:02:18 -05:00
Mathias Beaulieu-Duncan	b2bf4e309a	Fix apko asset filename: include version number ... Asset naming is apko_1.1.2_linux_amd64.tar.gz, not apko_linux_amd64.tar.gz. Strip the v prefix from the tag to build the correct filename. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 10:01:06 -05:00
Mathias Beaulieu-Duncan	3bd65d9e05	Fix apko install: resolve version via GitHub API instead of /latest redirect ... The Gitea runner doesn't follow GitHub's /latest/download/ 302 redirect properly. Resolve the version tag explicitly via the GitHub API, then download from the versioned URL directly. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 09:58:52 -05:00
Mathias Beaulieu-Duncan	ee428c1331	Fix apko install URL and Flutter release check in CI pipelines ... - apko release assets use lowercase OS and Go arch naming (linux_amd64), but uname returns Linux and x86_64. Map with tr/sed before building the download URL. - Flutter release check used curl -fsSL which fails on 404 when the release doesn't exist yet. Switch to -sS so the step continues and correctly detects new versions. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 09:48:31 -05:00
Mathias Beaulieu-Duncan	60d6d3bbec	Rename flutter to flutter-sdk, add curl to runtime, add update-check pipeline ... - Rename flutter variant to flutter-sdk for clarity across all configs and pipelines - Add curl to dotnet-runtime apko config (needed to bootstrap .NET runtime installation in downstream Dockerfiles) - Add daily update-check pipeline that monitors Flutter stable channel and Wolfi package updates, auto-creates releases for new Flutter versions and rebuilds all variants with latest packages Tested all variants with real workloads: - dotnet-sdk: dotnet new console + build + run - dotnet-runtime: multi-stage build, run prebuilt app - flutter-sdk: flutter create + build web --release Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 02:54:44 -05:00
Mathias Beaulieu-Duncan	734939fd12	Initial base distro with apko/Wolfi configs ... Five minimal OCI image variants built with apko: - base: ~5.5MB glibc runtime (wolfi-baselayout, libstdc++, ca-certs, tzdata) - build: base + build tools (bash, git, curl, wget, unzip, xz) - dotnet-runtime: base + ICU, OpenSSL, zlib for .NET runtime - dotnet-sdk: build + ICU, OpenSSL, zlib for .NET SDK - flutter: build variant configured for Flutter SDK Includes melange package definitions for .NET 10 SDK/runtime and Flutter SDK (for future use when building custom APKs). CI/CD pipelines: publish on release, Scout CVE comparison on PRs, weekly rebuild for Wolfi security patches. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-02 02:32:32 -05:00