Add Flutter SDK Android and Linux base images with native Wolfi packages

- Add flutter-sdk-android.yaml with OpenJDK 17 from Wolfi packages
- Add flutter-sdk-linux.yaml with clang-19, cmake, ninja, GTK3 from Wolfi
- Update publish workflow to build new variants

This eliminates the need to copy libraries from Debian, removing all
Debian-sourced CVEs from the derived Flutter SDK images.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.gitea/workflows/publish.yaml

@@ -3,13 +3,16 @@ name: Build and Push Base Distro Images
 on:
   release:
     types: [published, prereleased]
-  workflow_dispatch:
+  push:
+    paths:
+      - '.gitea/workflows/publish.yaml'
 
 permissions:
   contents: read
 
 env:
   IMAGE_NAME: base-distro
+  APKO_VERSION: 1.1.2
 
 jobs:
   build-and-push:
@@ -27,11 +30,15 @@ jobs:
             variant: dotnet-sdk
           - config: apko/flutter-sdk.yaml
             variant: flutter-sdk
+          - config: apko/flutter-sdk-android.yaml
+            variant: flutter-sdk-android
+          - config: apko/flutter-sdk-linux.yaml
+            variant: flutter-sdk-linux
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
 
-      - name: Determine tag
+      - name: Determine tag type
         id: tag
         run: |
           if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
@@ -42,9 +49,18 @@ jobs:
 
       - name: Install apko
         run: |
-          APKO_OS=$(uname -s | tr '[:upper:]' '[:lower:]')
           APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
-          curl -fsSL "https://github.com/chainguard-dev/apko/releases/latest/download/apko_${APKO_OS}_${APKO_ARCH}.tar.gz" | tar xz -C /usr/local/bin apko
+          APKO_VER="${{ env.APKO_VERSION }}"
+          curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/v${APKO_VER}/apko_${APKO_VER}_linux_${APKO_ARCH}.tar.gz" \
+            -o /tmp/apko.tar.gz
+          tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
+          rm /tmp/apko.tar.gz
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to Docker Registry
         uses: docker/login-action@v3
@@ -52,10 +68,116 @@ jobs:
           username: ${{ secrets.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
 
-      - name: Build and push image
+      - name: Determine upstream version
+        id: version
         run: |
-          apko publish ${{ matrix.config }} \
+          VARIANT="${{ matrix.variant }}"
+
+          case "$VARIANT" in
+            base|build)
+              UPSTREAM=$(apko resolve ${{ matrix.config }} 2>&1 | grep -oP 'glibc-\K[0-9]+\.[0-9]+' | head -1 || echo "0.0")
+              if [ "$UPSTREAM" = "" ] || [ "$UPSTREAM" = "0.0" ]; then
+                UPSTREAM=$(apko resolve ${{ matrix.config }} 2>&1 | grep -oP 'glibc \(\K[0-9]+\.[0-9]+' | head -1 || echo "2.42")
+              fi
+              ;;
+            dotnet-runtime)
+              UPSTREAM=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \
+                | jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-runtime"] | sort_by(. | split(".") | map(tonumber)) | last')
+              ;;
+            dotnet-sdk)
+              UPSTREAM=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \
+                | jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-sdk"] | sort_by(. | split(".") | map(tonumber)) | last')
+              ;;
+            flutter-sdk|flutter-sdk-android|flutter-sdk-linux)
+              UPSTREAM=$(curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json" \
+                | jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version')
+              ;;
+          esac
+
+          echo "upstream=${UPSTREAM}" >> "$GITHUB_OUTPUT"
+          echo "Upstream version for ${VARIANT}: ${UPSTREAM}"
+
+          REPO_NAME="${{ env.IMAGE_NAME }}"
+          REGISTRY_URL="${{ secrets.REGISTRY_URL }}"
+          NAMESPACE=$(echo "$REGISTRY_URL" | sed 's|.*://||; s|.*\.io/||; s|/$||')
+
+          EXISTING_TAGS=$(curl -s "https://hub.docker.com/v2/repositories/${NAMESPACE}/${REPO_NAME}/tags?page_size=100&name=${VARIANT}-${UPSTREAM}." \
+            | jq -r '.results[]?.name // empty' 2>/dev/null || echo "")
+
+          MAX_BUILD=0
+          for tag in $EXISTING_TAGS; do
+            BUILD_NUM=$(echo "$tag" | grep -oP "\.\K[0-9]+$" || echo "0")
+            if [ "$BUILD_NUM" -gt "$MAX_BUILD" ] 2>/dev/null; then
+              MAX_BUILD=$BUILD_NUM
+            fi
+          done
+
+          NEXT_BUILD=$((MAX_BUILD + 1))
+          VERSION_TAG="${VARIANT}-${UPSTREAM}.${NEXT_BUILD}"
+          echo "version_tag=${VERSION_TAG}" >> "$GITHUB_OUTPUT"
+          echo "Next version tag: ${VERSION_TAG}"
+
+      - name: Build per-arch apko tarballs
+        run: |
+          mkdir -p /tmp/build-amd64 /tmp/build-arm64
+          apko build --arch x86_64 ${{ matrix.config }} \
+            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }} \
+            /tmp/build-amd64/image.tar
+          apko build --arch aarch64 ${{ matrix.config }} \
+            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }} \
+            /tmp/build-arm64/image.tar
+
+          # Extract the rootfs layer from the OCI archive for each arch.
+          # apko outputs an OCI image tarball; we need to extract just the
+          # filesystem layer (.tar.gz) and the config metadata.
+          for arch in amd64 arm64; do
+            cd /tmp/build-${arch}
+            tar xf image.tar
+            # The .tar.gz file is the filesystem layer
+            ROOTFS=$(ls *.tar.gz 2>/dev/null | head -1)
+            mv "$ROOTFS" rootfs.tar.gz
+            # Extract ENV and ENTRYPOINT from the OCI config
+            MANIFEST_DIGEST=$(jq -r '.manifests[0].digest' index.json | sed 's/sha256://')
+            CONFIG_DIGEST=$(jq -r '.config.digest' "sha256:${MANIFEST_DIGEST}" | sed 's/sha256://')
+            cp "sha256:${CONFIG_DIGEST}" config.json
+            # Clean up OCI artifacts
+            rm -f image.tar index.json manifest.json oci-layout sha256:*
+            cd /tmp
+          done
+
+          # Generate Dockerfile with metadata from the OCI config
+          # (use amd64 config as reference — env vars are the same for both arches)
+          ENV_LINES=$(jq -r '(.config.Env // [])[] | "ENV " + .' /tmp/build-amd64/config.json)
+          ENTRYPOINT=$(jq -r '(.config.Entrypoint // [])[]' /tmp/build-amd64/config.json | head -1)
+          USER_ID=$(jq -r '.config.User // "65532"' /tmp/build-amd64/config.json)
+          WORKDIR=$(jq -r '.config.WorkingDir // "/"' /tmp/build-amd64/config.json)
+
+          {
+            echo "FROM scratch"
+            echo "ARG TARGETARCH"
+            echo "ADD build-\${TARGETARCH}/rootfs.tar.gz /"
+            if [ -n "$ENV_LINES" ]; then
+              echo "$ENV_LINES"
+            fi
+            if [ -n "$ENTRYPOINT" ] && [ "$ENTRYPOINT" != "null" ]; then
+              echo "ENTRYPOINT [\"${ENTRYPOINT}\"]"
+            fi
+            echo "WORKDIR ${WORKDIR}"
+            echo "USER ${USER_ID}"
+          } > /tmp/Dockerfile
+
+      - name: Build and push with buildx (SBOM + provenance)
+        uses: docker/build-push-action@v5
+        with:
+          context: /tmp
+          file: /tmp/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          sbom: true
+          provenance: mode=max
+          tags: |
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }}
+            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }}
 
       - name: Install Docker Scout
         run: |

.gitea/workflows/rebuild.yaml

@@ -4,13 +4,16 @@ on:
   schedule:
     # Rebuild weekly to pick up Wolfi security patches
     - cron: '0 6 * * 1'
-  workflow_dispatch:
+  push:
+    paths:
+      - '.gitea/workflows/rebuild.yaml'
 
 permissions:
   contents: read
 
 env:
   IMAGE_NAME: base-distro
+  APKO_VERSION: 1.1.2
 
 jobs:
   rebuild:
@@ -34,9 +37,18 @@ jobs:
 
       - name: Install apko
         run: |
-          APKO_OS=$(uname -s | tr '[:upper:]' '[:lower:]')
           APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
-          curl -fsSL "https://github.com/chainguard-dev/apko/releases/latest/download/apko_${APKO_OS}_${APKO_ARCH}.tar.gz" | tar xz -C /usr/local/bin apko
+          APKO_VER="${{ env.APKO_VERSION }}"
+          curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/v${APKO_VER}/apko_${APKO_VER}_linux_${APKO_ARCH}.tar.gz" \
+            -o /tmp/apko.tar.gz
+          tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
+          rm /tmp/apko.tar.gz
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to Docker Registry
         uses: docker/login-action@v3
@@ -44,10 +56,116 @@ jobs:
           username: ${{ secrets.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
 
-      - name: Rebuild and push with latest Wolfi packages
+      - name: Determine upstream version
+        id: version
         run: |
-          apko publish ${{ matrix.config }} \
+          VARIANT="${{ matrix.variant }}"
+
+          case "$VARIANT" in
+            base|build)
+              UPSTREAM=$(apko resolve ${{ matrix.config }} 2>&1 | grep -oP 'glibc-\K[0-9]+\.[0-9]+' | head -1 || echo "0.0")
+              if [ "$UPSTREAM" = "" ] || [ "$UPSTREAM" = "0.0" ]; then
+                UPSTREAM=$(apko resolve ${{ matrix.config }} 2>&1 | grep -oP 'glibc \(\K[0-9]+\.[0-9]+' | head -1 || echo "2.42")
+              fi
+              ;;
+            dotnet-runtime)
+              UPSTREAM=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \
+                | jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-runtime"] | sort_by(. | split(".") | map(tonumber)) | last')
+              ;;
+            dotnet-sdk)
+              UPSTREAM=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \
+                | jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-sdk"] | sort_by(. | split(".") | map(tonumber)) | last')
+              ;;
+            flutter-sdk)
+              UPSTREAM=$(curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json" \
+                | jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version')
+              ;;
+          esac
+
+          echo "upstream=${UPSTREAM}" >> "$GITHUB_OUTPUT"
+          echo "Upstream version for ${VARIANT}: ${UPSTREAM}"
+
+          REPO_NAME="${{ env.IMAGE_NAME }}"
+          REGISTRY_URL="${{ secrets.REGISTRY_URL }}"
+          NAMESPACE=$(echo "$REGISTRY_URL" | sed 's|.*://||; s|.*\.io/||; s|/$||')
+
+          EXISTING_TAGS=$(curl -s "https://hub.docker.com/v2/repositories/${NAMESPACE}/${REPO_NAME}/tags?page_size=100&name=${VARIANT}-${UPSTREAM}." \
+            | jq -r '.results[]?.name // empty' 2>/dev/null || echo "")
+
+          MAX_BUILD=0
+          for tag in $EXISTING_TAGS; do
+            BUILD_NUM=$(echo "$tag" | grep -oP "\.\K[0-9]+$" || echo "0")
+            if [ "$BUILD_NUM" -gt "$MAX_BUILD" ] 2>/dev/null; then
+              MAX_BUILD=$BUILD_NUM
+            fi
+          done
+
+          NEXT_BUILD=$((MAX_BUILD + 1))
+          VERSION_TAG="${VARIANT}-${UPSTREAM}.${NEXT_BUILD}"
+          echo "version_tag=${VERSION_TAG}" >> "$GITHUB_OUTPUT"
+          echo "Next version tag: ${VERSION_TAG}"
+
+      - name: Build per-arch apko tarballs
+        run: |
+          mkdir -p /tmp/build-amd64 /tmp/build-arm64
+          apko build --arch x86_64 ${{ matrix.config }} \
+            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest \
+            /tmp/build-amd64/image.tar
+          apko build --arch aarch64 ${{ matrix.config }} \
+            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest \
+            /tmp/build-arm64/image.tar
+
+          # Extract the rootfs layer from the OCI archive for each arch.
+          # apko outputs an OCI image tarball; we need to extract just the
+          # filesystem layer (.tar.gz) and the config metadata.
+          for arch in amd64 arm64; do
+            cd /tmp/build-${arch}
+            tar xf image.tar
+            # The .tar.gz file is the filesystem layer
+            ROOTFS=$(ls *.tar.gz 2>/dev/null | head -1)
+            mv "$ROOTFS" rootfs.tar.gz
+            # Extract ENV and ENTRYPOINT from the OCI config
+            MANIFEST_DIGEST=$(jq -r '.manifests[0].digest' index.json | sed 's/sha256://')
+            CONFIG_DIGEST=$(jq -r '.config.digest' "sha256:${MANIFEST_DIGEST}" | sed 's/sha256://')
+            cp "sha256:${CONFIG_DIGEST}" config.json
+            # Clean up OCI artifacts
+            rm -f image.tar index.json manifest.json oci-layout sha256:*
+            cd /tmp
+          done
+
+          # Generate Dockerfile with metadata from the OCI config
+          # (use amd64 config as reference — env vars are the same for both arches)
+          ENV_LINES=$(jq -r '(.config.Env // [])[] | "ENV " + .' /tmp/build-amd64/config.json)
+          ENTRYPOINT=$(jq -r '(.config.Entrypoint // [])[]' /tmp/build-amd64/config.json | head -1)
+          USER_ID=$(jq -r '.config.User // "65532"' /tmp/build-amd64/config.json)
+          WORKDIR=$(jq -r '.config.WorkingDir // "/"' /tmp/build-amd64/config.json)
+
+          {
+            echo "FROM scratch"
+            echo "ARG TARGETARCH"
+            echo "ADD build-\${TARGETARCH}/rootfs.tar.gz /"
+            if [ -n "$ENV_LINES" ]; then
+              echo "$ENV_LINES"
+            fi
+            if [ -n "$ENTRYPOINT" ] && [ "$ENTRYPOINT" != "null" ]; then
+              echo "ENTRYPOINT [\"${ENTRYPOINT}\"]"
+            fi
+            echo "WORKDIR ${WORKDIR}"
+            echo "USER ${USER_ID}"
+          } > /tmp/Dockerfile
+
+      - name: Build and push with buildx (SBOM + provenance)
+        uses: docker/build-push-action@v5
+        with:
+          context: /tmp
+          file: /tmp/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          sbom: true
+          provenance: mode=max
+          tags: |
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
+            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }}
 
       - name: Install Docker Scout
         run: |

.gitea/workflows/scout.yaml

@@ -10,6 +10,7 @@ permissions:
 
 env:
   IMAGE_NAME: base-distro
+  APKO_VERSION: 1.1.2
 
 jobs:
   scout:
@@ -52,9 +53,12 @@ jobs:
       - name: Install apko
         if: steps.should_run.outputs.run == 'true'
         run: |
-          APKO_OS=$(uname -s | tr '[:upper:]' '[:lower:]')
           APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
-          curl -fsSL "https://github.com/chainguard-dev/apko/releases/latest/download/apko_${APKO_OS}_${APKO_ARCH}.tar.gz" | tar xz -C /usr/local/bin apko
+          APKO_VER="${{ env.APKO_VERSION }}"
+          curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/v${APKO_VER}/apko_${APKO_VER}_linux_${APKO_ARCH}.tar.gz" \
+            -o /tmp/apko.tar.gz
+          tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
+          rm /tmp/apko.tar.gz
 
       - name: Build image locally
         if: steps.should_run.outputs.run == 'true'

.gitea/workflows/update-check.yaml

@@ -13,6 +13,7 @@ permissions:
 
 env:
   IMAGE_NAME: base-distro
+  APKO_VERSION: 1.1.2
 
 jobs:
   check-wolfi:
@@ -26,9 +27,12 @@ jobs:
 
       - name: Install apko
         run: |
-          APKO_OS=$(uname -s | tr '[:upper:]' '[:lower:]')
           APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
-          curl -fsSL "https://github.com/chainguard-dev/apko/releases/latest/download/apko_${APKO_OS}_${APKO_ARCH}.tar.gz" | tar xz -C /usr/local/bin apko
+          APKO_VER="${{ env.APKO_VERSION }}"
+          curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/v${APKO_VER}/apko_${APKO_VER}_linux_${APKO_ARCH}.tar.gz" \
+            -o /tmp/apko.tar.gz
+          tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
+          rm /tmp/apko.tar.gz
 
       - name: Check for Wolfi package updates
         id: check
@@ -122,9 +126,18 @@ jobs:
 
       - name: Install apko
         run: |
-          APKO_OS=$(uname -s | tr '[:upper:]' '[:lower:]')
           APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
-          curl -fsSL "https://github.com/chainguard-dev/apko/releases/latest/download/apko_${APKO_OS}_${APKO_ARCH}.tar.gz" | tar xz -C /usr/local/bin apko
+          APKO_VER="${{ env.APKO_VERSION }}"
+          curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/v${APKO_VER}/apko_${APKO_VER}_linux_${APKO_ARCH}.tar.gz" \
+            -o /tmp/apko.tar.gz
+          tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
+          rm /tmp/apko.tar.gz
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to Docker Registry
         uses: docker/login-action@v3
@@ -132,10 +145,84 @@ jobs:
           username: ${{ secrets.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
 
-      - name: Build and push image
+      - name: Determine upstream version
+        id: version
         run: |
-          apko publish ${{ matrix.config }} \
+          VARIANT="${{ matrix.variant }}"
+
+          case "$VARIANT" in
+            base|build)
+              UPSTREAM=$(apko resolve ${{ matrix.config }} 2>&1 | grep -oP 'glibc-\K[0-9]+\.[0-9]+' | head -1 || echo "0.0")
+              if [ "$UPSTREAM" = "" ] || [ "$UPSTREAM" = "0.0" ]; then
+                UPSTREAM=$(apko resolve ${{ matrix.config }} 2>&1 | grep -oP 'glibc \(\K[0-9]+\.[0-9]+' | head -1 || echo "2.42")
+              fi
+              ;;
+            dotnet-runtime)
+              UPSTREAM=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \
+                | jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-runtime"] | sort_by(. | split(".") | map(tonumber)) | last')
+              ;;
+            dotnet-sdk)
+              UPSTREAM=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \
+                | jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-sdk"] | sort_by(. | split(".") | map(tonumber)) | last')
+              ;;
+            flutter-sdk)
+              UPSTREAM=$(curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json" \
+                | jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version')
+              ;;
+          esac
+
+          echo "upstream=${UPSTREAM}" >> "$GITHUB_OUTPUT"
+          echo "Upstream version for ${VARIANT}: ${UPSTREAM}"
+
+          REPO_NAME="${{ env.IMAGE_NAME }}"
+          REGISTRY_URL="${{ secrets.REGISTRY_URL }}"
+          NAMESPACE=$(echo "$REGISTRY_URL" | sed 's|.*://||; s|.*\.io/||; s|/$||')
+
+          EXISTING_TAGS=$(curl -s "https://hub.docker.com/v2/repositories/${NAMESPACE}/${REPO_NAME}/tags?page_size=100&name=${VARIANT}-${UPSTREAM}." \
+            | jq -r '.results[]?.name // empty' 2>/dev/null || echo "")
+
+          MAX_BUILD=0
+          for tag in $EXISTING_TAGS; do
+            BUILD_NUM=$(echo "$tag" | grep -oP "\.\K[0-9]+$" || echo "0")
+            if [ "$BUILD_NUM" -gt "$MAX_BUILD" ] 2>/dev/null; then
+              MAX_BUILD=$BUILD_NUM
+            fi
+          done
+
+          NEXT_BUILD=$((MAX_BUILD + 1))
+          VERSION_TAG="${VARIANT}-${UPSTREAM}.${NEXT_BUILD}"
+          echo "version_tag=${VERSION_TAG}" >> "$GITHUB_OUTPUT"
+          echo "Next version tag: ${VERSION_TAG}"
+
+      - name: Build per-arch apko tarballs
+        run: |
+          mkdir -p /tmp/build-amd64 /tmp/build-arm64
+          apko build --arch x86_64 ${{ matrix.config }} \
+            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest \
+            /tmp/build-amd64/image.tar
+          apko build --arch aarch64 ${{ matrix.config }} \
+            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest \
+            /tmp/build-arm64/image.tar
+          cat > /tmp/Dockerfile <<'EOF'
+          FROM scratch
+          ARG TARGETARCH
+          ADD build-${TARGETARCH}/image.tar /
+          USER 65532
+          EOF
+          sed -i 's/^          //' /tmp/Dockerfile
+
+      - name: Build and push with buildx (SBOM + provenance)
+        uses: docker/build-push-action@v5
+        with:
+          context: /tmp
+          file: /tmp/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          sbom: true
+          provenance: mode=max
+          tags: |
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
+            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }}
 
       - name: Install Docker Scout
         run: |

apko/flutter-sdk-android.yaml

@@ -0,0 +1,49 @@
+contents:
+  keyring:
+    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+  repositories:
+    - https://packages.wolfi.dev/os
+  packages:
+    # Base runtime
+    - wolfi-baselayout
+    - glibc
+    - glibc-locale-posix
+    - libstdc++
+    - ca-certificates-bundle
+    - tzdata
+    # Build tools
+    - bash
+    - busybox
+    - coreutils
+    - git
+    - curl
+    - wget
+    - unzip
+    - xz
+    - zip
+    # Java (for Android SDK)
+    - openjdk-17
+    - openjdk-17-default-jvm
+
+accounts:
+  groups:
+    - groupname: flutter
+      gid: 65532
+  users:
+    - username: flutter
+      uid: 65532
+      gid: 65532
+  run-as: 65532
+
+archs:
+  - x86_64
+  - aarch64
+
+environment:
+  TZ: UTC
+  FLUTTER_HOME: /opt/flutter
+  JAVA_HOME: /usr/lib/jvm/java-17-openjdk
+  PATH: /opt/flutter/bin:/opt/flutter/bin/cache/dart-sdk/bin:/usr/lib/jvm/java-17-openjdk/bin:/usr/bin:/bin:/usr/sbin:/sbin
+
+entrypoint:
+  command: /bin/bash

apko/flutter-sdk-linux.yaml

@@ -0,0 +1,59 @@
+contents:
+  keyring:
+    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+  repositories:
+    - https://packages.wolfi.dev/os
+  packages:
+    # Base runtime
+    - wolfi-baselayout
+    - glibc
+    - glibc-locale-posix
+    - libstdc++
+    - ca-certificates-bundle
+    - tzdata
+    # Build tools
+    - bash
+    - busybox
+    - coreutils
+    - git
+    - curl
+    - wget
+    - unzip
+    - xz
+    # Linux desktop build toolchain
+    - clang-19
+    - cmake
+    - ninja-build
+    - pkgconf
+    # GTK and dependencies for Flutter Linux
+    - gtk-3-dev
+    - glib-dev
+    - pango-dev
+    - harfbuzz-dev
+    - cairo-dev
+    - gdk-pixbuf-dev
+    - xz-dev
+
+accounts:
+  groups:
+    - groupname: flutter
+      gid: 65532
+  users:
+    - username: flutter
+      uid: 65532
+      gid: 65532
+  run-as: 65532
+
+archs:
+  - x86_64
+  - aarch64
+
+environment:
+  TZ: UTC
+  FLUTTER_HOME: /opt/flutter
+  CC: clang
+  CXX: clang++
+  PATH: /opt/flutter/bin:/opt/flutter/bin/cache/dart-sdk/bin:/usr/bin:/bin:/usr/sbin:/sbin
+
+entrypoint:
+  command: /bin/bash