feat: add custom base image with git-lfs, openssh, uid 65532

vdemeester · claude · vdemeester · commit b5e1f95bb2b2 · 2026-06-04T12:17:12.000+02:00
- Add Dockerfile based on alpine/git with git-lfs, openssh-client, and a tekton user (uid 65532) matching the task's securityContext - Add base-image workflow: builds on Dockerfile change + weekly schedule - Add dependabot docker ecosystem for automatic base image bumps - Update .ko.yaml and .goreleaser.yml to use our base image - Build base image locally in e2e workflows for CI This replaces the dependency on ghcr.io/tektoncd/plumbing/alpine-git-nonroot and gives us full control over the image contents. Fixes #85 Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -8,3 +8,7 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+  - package-ecosystem: "docker"
+    directory: "/image/base"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/base-image.yaml b/.github/workflows/base-image.yaml
@@ -0,0 +1,35 @@
+name: Base Image
+
+on:
+  push:
+    branches: [main]
+    paths: ['image/base/**']
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly Monday — catch upstream updates
+  workflow_dispatch: {}
+
+permissions:
+  packages: write
+
+jobs:
+  build:
+    name: Build and push base image
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        with:
+          context: image/base
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository }}/base:latest
+            ghcr.io/${{ github.repository }}/base:${{ github.sha }}
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -59,9 +59,15 @@ jobs:
           cluster_name: kind
           wait: 120s
 
+      - name: Build base image
+        run: |
+          docker build -t ghcr.io/${{ github.repository }}/base:latest image/base/
+          docker tag ghcr.io/${{ github.repository }}/base:latest ko.local/git-clone-base:latest
+
       - name: Build and load image into Kind
         env:
           KO_DOCKER_REPO: kind.local
+          KO_DEFAULTBASEIMAGE: ko.local/git-clone-base:latest
         run: |
           cd image/git-init
           ko build --sbom=none -B -t e2e .
@@ -95,9 +101,15 @@ jobs:
           cluster_name: kind
           wait: 120s
 
+      - name: Build base image
+        run: |
+          docker build -t ghcr.io/${{ github.repository }}/base:latest image/base/
+          docker tag ghcr.io/${{ github.repository }}/base:latest ko.local/git-clone-base:latest
+
       - name: Build and load image into Kind
         env:
           KO_DOCKER_REPO: kind.local
+          KO_DEFAULTBASEIMAGE: ko.local/git-clone-base:latest
         run: |
           cd image/git-init
           ko build --sbom=none -B -t e2e .
diff --git a/image/base/Dockerfile b/image/base/Dockerfile
@@ -0,0 +1,24 @@
+# Copyright 2024 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Base image for git-clone task.
+# Includes git, git-lfs, openssh-client, and a nonroot user (uid 65532)
+# matching Tekton's default securityContext.
+FROM docker.io/alpine/git:v2.52.0@sha256:8786a6a02273827d0aa039d174aacd5e017fcce9aba0af62596d991970cab01a
+
+RUN apk add --no-cache git-lfs openssh-client && \
+    adduser -D -u 65532 -G root tekton && \
+    mkdir -p /home/tekton && chown tekton:root /home/tekton
+
+USER tekton
diff --git a/image/git-init/.goreleaser.yml b/image/git-init/.goreleaser.yml
@@ -29,7 +29,7 @@ kos:
   - id: git-init-image
     build: binary
     main: .
-    base_image: ghcr.io/tektoncd/plumbing/alpine-git-nonroot:latest
+    base_image: ghcr.io/tektoncd-catalog/git-clone/base:latest
     platforms:
       - all
     tags:
diff --git a/image/git-init/.ko.yaml b/image/git-init/.ko.yaml
@@ -1 +1 @@
-defaultBaseImage: ghcr.io/tektoncd/plumbing/alpine-git-nonroot:latest
+defaultBaseImage: ghcr.io/tektoncd-catalog/git-clone/base:latest

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-defaultBaseImage: ghcr.io/tektoncd/plumbing/alpine-git-nonroot:latest`
	`1`	`+defaultBaseImage: ghcr.io/tektoncd-catalog/git-clone/base:latest`