/template

Template repository for new images

Apache License 2.0Apache-2.0

Chainguard Images Template

This repo provides a basic template for a Wolfi-based image configured using apko.

After creating your own repo from this template, edit apko.yaml to add or remove whatever packages you need.

The template includes two GitHub Actions workflows:

  • run a presubmit build when a pull request is opened
  • publish a new image when changes are pushed to main.
    • Images are pushed to ghcr.io/$ORG/$REPO, tagged with the date the image was published (e.g., :20230103).
    • Images are signed using the GitHub Actions' workload identity (cosign verify <image>).
    • Images have an SBOM attached (cosign download sbom <image>).
    • Images are scanned for vulnerabilities using Trivy, and signed vulnerability attestations are attached (cosign download attestation <image>). You can enable scanning with Grype and Snyk as well.
    • Images are also rebuilt nightly to pick up Wolfi package updates.