This repo provides a basic template for a Wolfi-based image configured using apko.
After creating your own repo from this
template, edit
apko.yaml to add or remove whatever packages you need.
The template includes two GitHub Actions workflows:
- run a presubmit build when a pull request is opened
- publish a new image when changes are
pushed to
main.- Images are pushed to
ghcr.io/$ORG/$REPO, tagged with the date the image was published (e.g.,:20230103). - Images are signed using the GitHub Actions' workload identity (
cosign verify <image>). - Images have an SBOM attached (
cosign download sbom <image>). - Images are scanned for vulnerabilities using Trivy, and signed
vulnerability attestations are attached (
cosign download attestation <image>). You can enable scanning with Grype and Snyk as well. - Images are also rebuilt nightly to pick up Wolfi package updates.
- Images are pushed to