feat: add wolfi-toolbox images

.github/workflows/wolfi.yaml

@@ -0,0 +1,123 @@
+name: "Wolfi Linux: Build and push toolbx images"
+
+permissions: read-all
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - wolfi/**
+      - .github/workflows/wolfi.yaml
+  push:
+    branches:
+      - main
+    paths:
+      - wolfi/**
+      - .github/workflows/wolfi.yaml
+  schedule:
+    - cron:  '0 0 * * MON'
+
+env:
+  distro: 'wolfi'
+  distro_pretty: 'wolfi Linux'
+  latest_release: 'latest'
+  platforms: 'linux/amd64, linux/arm64'
+  registry: 'quay.io/toolbx-images'
+
+# Prevent multiple workflow runs from racing to ensure that pushes are made
+# sequentially for the main branch. Also cancel in progress workflow runs for
+# pull requests only.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  build-push-images:
+    strategy:
+      matrix:
+        release: ['latest']
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU for multi-arch builds
+        shell: bash
+        run: |
+          sudo apt update
+          sudo apt install qemu-user-static
+
+      - name: Build container image
+        uses: redhat-actions/buildah-build@v2
+        if: env.latest_release != matrix.release
+        with:
+          platforms: ${{ env.platforms }}
+          context: ${{ env.distro }}/${{ matrix.release }}
+          image: ${{ env.distro }}-toolbox
+          tags: ${{ matrix.release }}
+          containerfiles: ${{ env.distro }}/${{ matrix.release }}/Containerfile
+          layers: false
+          oci: true
+
+      - name: Build container image (latest tag)
+        uses: redhat-actions/buildah-build@v2
+        if: env.latest_release == matrix.release
+        with:
+          platforms: ${{ env.platforms }}
+          context: ${{ env.distro }}/${{ matrix.release }}
+          image: ${{ env.distro }}-toolbox
+          tags: ${{ matrix.release }} latest
+          containerfiles: ${{ env.distro }}/${{ matrix.release }}/Containerfile
+          layers: false
+          oci: true
+
+      - name: Push to Container Registry
+        uses: redhat-actions/push-to-registry@v2
+        id: push
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release
+        with:
+          username: ${{ secrets.BOT_USERNAME }}
+          password: ${{ secrets.BOT_SECRET }}
+          image: ${{ env.distro }}-toolbox
+          registry: ${{ env.registry }}
+          tags: ${{ matrix.release }}
+
+      - name: Push to Container Registry (latest tag)
+        uses: redhat-actions/push-to-registry@v2
+        id: push-latest
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release
+        with:
+          username: ${{ secrets.BOT_USERNAME }}
+          password: ${{ secrets.BOT_SECRET }}
+          image: ${{ env.distro }}-toolbox
+          registry: ${{ env.registry }}
+          tags: ${{ matrix.release }} latest
+
+      - name: Login to Container Registry
+        uses: redhat-actions/podman-login@v1
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'
+        with:
+          registry: ${{ env.registry }}
+          username: ${{ secrets.BOT_USERNAME }}
+          password: ${{ secrets.BOT_SECRET }}
+
+      - uses: sigstore/[email protected]
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'
+
+      - name: Sign container image
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release
+        run: |
+          cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }}
+        env:
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+
+      - name: Sign container image (latest)
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release
+        run: |
+          cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }}
+        env:
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}

wolfi/latest/Containerfile

@@ -0,0 +1,26 @@
+FROM cgr.dev/chainguard/wolfi-base:latest
+
+LABEL com.github.containers.toolbox="true" \
+      name="wolfi-toolbox" \
+      version="latest" \
+      usage="This image is meant to be used with the toolbox or distrobox command" \
+      summary="Base image for creating Wolfi Linux toolbox containers" \
+      maintainer="Luca Di Maio <[email protected]>"
+
+# Install extra packages
+COPY extra-packages /
+RUN apk update && \
+    apk upgrade && \
+    cat /extra-packages | xargs apk add
+RUN rm /extra-packages
+
+# Enable password less sudo
+# using sudoers instead of toolbox filename here, so that in case of rootful
+# distroboxes, the NOPASSWD can be deactivated for security reasons.
+RUN echo "%wheel ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sudoers
+
+# Copy the os-release file
+RUN cp -p /etc/os-release /usr/lib/os-release
+
+# Clear out /home
+RUN rm -rf /home/* && mkdir /media

wolfi/latest/extra-packages

@@ -0,0 +1,45 @@
+bash
+bc
+busybox
+bzip2
+coreutils
+curl
+diffutils
+findmnt
+findutils
+gnupg
+gnutar
+gpg
+iproute2
+iputils
+keyutils
+less
+libcap
+libcap-utils
+locate
+man-db
+mesa
+mount
+ncurses
+ncurses-terminfo
+net-tools
+openssh-client
+pigz
+posix-libc-utils
+procps
+rsync
+shadow
+sudo
+tcpdump
+tree
+tzdata
+umount
+unzip
+util-linux
+util-linux-login
+util-linux-misc
+vulkan-loader
+wget
+xauth
+xz
+zip