feat: add static base image build for Tekton Go binaries#3221
feat: add static base image build for Tekton Go binaries#3221waveywaves wants to merge 2 commits intotektoncd:mainfrom
Conversation
Add apko-based build for a multi-arch static base image supporting amd64, arm64, s390x, and ppc64le. This replaces the dependency on cgr.dev/chainguard/static which is pinned to an EOL Alpine 3.18 digest and whose free tier dropped s390x/ppc64le support. The image contains CA certificates, timezone data, nsswitch.conf, and a nonroot user (UID 65532). A weekly GitHub Actions workflow rebuilds and publishes to ghcr.io/tektoncd/plumbing/static-base. All Tekton repos (pipeline, triggers, chains, results) can reference this as their defaultBaseImage in .ko.yaml. Related: tektoncd/pipeline#9557
tekton-robot
added
the
kind/feature
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
tekton-robot
added
the
size/L
The apko build and CI workflow belong in tektoncd/plumbing since all Tekton repos need the same base image. Update .ko.yaml and publish.yaml to reference ghcr.io/tektoncd/plumbing/static-base instead. See: tektoncd/plumbing#3221
vdemeester
left a comment
vdemeester
left a comment
There was a problem hiding this comment.
So, other images that we build here are in tekton/images, we should probably keep them at the same place, or at least share the same "parent".
Either we have a tekton/images/apko or tekton/apko-images, or we could make the paths detection a bit smarter in the workflows.
Also, to "respect" the CI summary, we should update ci.yaml instead of creating a new workflow (or have ci.yaml call that workflow).
| @@ -0,0 +1,27 @@ | |||
| contents: | |||
There was a problem hiding this comment.
As highlighted in tektoncd/pipeline#9557, we should probably use keyring (to validate the repositories and packages)
| build-and-push: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 |
There was a problem hiding this comment.
We have a policy of pinning actions and any dependencies across tektoncd org projects to SHAs (Refer: https://github.com/tektoncd/pipeline/blob/main/.github/workflows/codeql-analysis.yml#L57). Could you fix this?
|
@waveywaves - Could you consider absorbing any good practices from #1735 into this PR? I hope we can close #1735 once this PR merges. Thank you! |
1. Move images/static-base/ to tekton/images/static-base/ to match the existing image directory structure. 2. Pin all GitHub Actions to SHAs instead of tags per org policy. 3. Add Alpine keyring to apko.yaml to validate repository packages.
4 participants
Changes
Add apko-based build for a multi-arch static base image supporting amd64, arm64, s390x, and ppc64le.
Why: All Tekton repos currently depend on
cgr.dev/chainguard/staticwhich is pinned to an EOL Alpine 3.18 digest from Nov 2023. The Chainguard free tier dropped s390x/ppc64le support, so bumping the digest breaks release builds. Building our own image gives us control over architecture coverage and update cadence.What this adds:
images/static-base/apko.yaml— declarative image definition, builds a ~300KB static base per arch with CA certs, timezone data, and nonroot user.github/workflows/build-static-base-image.yaml— weekly CI to rebuild and publish toghcr.io/tektoncd/plumbing/static-baseimages/static-base/README.md— documents contents, build instructions, and consumersConsumers: tektoncd/pipeline, tektoncd/triggers, tektoncd/chains, tektoncd/results — all can reference
ghcr.io/tektoncd/plumbing/static-baseas theirdefaultBaseImagein.ko.yaml.Related: tektoncd/pipeline#9557
/kind feature
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them: