Skip to content

Commit b5e1f95

Browse files
vdemeesterclaude
andcommitted
feat: add custom base image with git-lfs, openssh, uid 65532
- Add Dockerfile based on alpine/git with git-lfs, openssh-client, and a tekton user (uid 65532) matching the task's securityContext - Add base-image workflow: builds on Dockerfile change + weekly schedule - Add dependabot docker ecosystem for automatic base image bumps - Update .ko.yaml and .goreleaser.yml to use our base image - Build base image locally in e2e workflows for CI This replaces the dependency on ghcr.io/tektoncd/plumbing/alpine-git-nonroot and gives us full control over the image contents. Fixes #85 Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
1 parent e35ff2c commit b5e1f95

6 files changed

Lines changed: 77 additions & 2 deletions

File tree

.github/dependabot.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,3 +8,7 @@ updates:
88
directory: "/"
99
schedule:
1010
interval: "daily"
11+
- package-ecosystem: "docker"
12+
directory: "/image/base"
13+
schedule:
14+
interval: "weekly"

.github/workflows/base-image.yaml

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
name: Base Image
2+
3+
on:
4+
push:
5+
branches: [main]
6+
paths: ['image/base/**']
7+
schedule:
8+
- cron: '0 6 * * 1' # Weekly Monday — catch upstream updates
9+
workflow_dispatch: {}
10+
11+
permissions:
12+
packages: write
13+
14+
jobs:
15+
build:
16+
name: Build and push base image
17+
runs-on: ubuntu-latest
18+
steps:
19+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
20+
21+
- name: Log in to GHCR
22+
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
23+
with:
24+
registry: ghcr.io
25+
username: ${{ github.actor }}
26+
password: ${{ secrets.GITHUB_TOKEN }}
27+
28+
- name: Build and push
29+
uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
30+
with:
31+
context: image/base
32+
push: true
33+
tags: |
34+
ghcr.io/${{ github.repository }}/base:latest
35+
ghcr.io/${{ github.repository }}/base:${{ github.sha }}

.github/workflows/build.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,9 +59,15 @@ jobs:
5959
cluster_name: kind
6060
wait: 120s
6161

62+
- name: Build base image
63+
run: |
64+
docker build -t ghcr.io/${{ github.repository }}/base:latest image/base/
65+
docker tag ghcr.io/${{ github.repository }}/base:latest ko.local/git-clone-base:latest
66+
6267
- name: Build and load image into Kind
6368
env:
6469
KO_DOCKER_REPO: kind.local
70+
KO_DEFAULTBASEIMAGE: ko.local/git-clone-base:latest
6571
run: |
6672
cd image/git-init
6773
ko build --sbom=none -B -t e2e .
@@ -95,9 +101,15 @@ jobs:
95101
cluster_name: kind
96102
wait: 120s
97103

104+
- name: Build base image
105+
run: |
106+
docker build -t ghcr.io/${{ github.repository }}/base:latest image/base/
107+
docker tag ghcr.io/${{ github.repository }}/base:latest ko.local/git-clone-base:latest
108+
98109
- name: Build and load image into Kind
99110
env:
100111
KO_DOCKER_REPO: kind.local
112+
KO_DEFAULTBASEIMAGE: ko.local/git-clone-base:latest
101113
run: |
102114
cd image/git-init
103115
ko build --sbom=none -B -t e2e .

image/base/Dockerfile

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
# Copyright 2024 The Tekton Authors
2+
#
3+
# Licensed under the Apache License, Version 2.0 (the "License");
4+
# you may not use this file except in compliance with the License.
5+
# You may obtain a copy of the License at
6+
#
7+
# http://www.apache.org/licenses/LICENSE-2.0
8+
#
9+
# Unless required by applicable law or agreed to in writing, software
10+
# distributed under the License is distributed on an "AS IS" BASIS,
11+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
# See the License for the specific language governing permissions and
13+
# limitations under the License.
14+
15+
# Base image for git-clone task.
16+
# Includes git, git-lfs, openssh-client, and a nonroot user (uid 65532)
17+
# matching Tekton's default securityContext.
18+
FROM docker.io/alpine/git:v2.52.0@sha256:8786a6a02273827d0aa039d174aacd5e017fcce9aba0af62596d991970cab01a
19+
20+
RUN apk add --no-cache git-lfs openssh-client && \
21+
adduser -D -u 65532 -G root tekton && \
22+
mkdir -p /home/tekton && chown tekton:root /home/tekton
23+
24+
USER tekton

image/git-init/.goreleaser.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ kos:
2929
- id: git-init-image
3030
build: binary
3131
main: .
32-
base_image: ghcr.io/tektoncd/plumbing/alpine-git-nonroot:latest
32+
base_image: ghcr.io/tektoncd-catalog/git-clone/base:latest
3333
platforms:
3434
- all
3535
tags:

image/git-init/.ko.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
defaultBaseImage: ghcr.io/tektoncd/plumbing/alpine-git-nonroot:latest
1+
defaultBaseImage: ghcr.io/tektoncd-catalog/git-clone/base:latest

0 commit comments

Comments
 (0)