Continuous Integration (CI) with apko in the Chainguard project involves using apko in CI pipelines and configuring CI tasks. Here are the options and examples for using apko in CI pipelines:
- Using apko in a CI pipeline to build images:
Apko can be used in a CI pipeline to build images by defining the image configuration in a YAML file. Here’s an example of an image configuration:
name: my-image
version: 1.0.0
base: alpine:latest
packages:
- apko-tools
- busybox
run:
- apk add --no-cache $PKG_LIST
- my-command
This configuration defines an image named “my-image” with version “1.0.0” based on the “alpine:latest” image. It installs the “apko-tools” and “busybox” packages and runs “my-command”.
Source: https://edu.chainguard.dev/open-source/apko/overview
- Using apko in a CI pipeline to sign packages:
Apko can be used in a CI pipeline to sign packages with a melange key. Here’s an example of signing a package:
package, err := apko.NewPackage("my-package", "1.0.0", "alpine:latest")
if err != nil {
log.Fatal(err)
}
package.Add(apko.NewFile("my-file", "my-content"))
err = package.Sign("my-key")
if err != nil {
log.Fatal(err)
}
err = package.Write("my-package-1.0.0-signed.apk")
if err != nil {
log.Fatal(err)
}
This code creates a new package named “my-package” with version “1.0.0” based on the “alpine:latest” image. It adds a file named “my-file” with content “my-content” and signs the package with “my-key”.
Source: https://edu.chainguard.dev/open-source/apko/faq
- Using apko in a CI pipeline to generate a Software Bill of Materials (SBOM):
Apko can be used in a CI pipeline to generate an SBOM for an image. Here’s an example of generating an SBOM:
ic, err := apko.NewImageConfiguration("my-image", "1.0.0", "alpine:latest")
if err != nil {
log.Fatal(err)
}
ic.Accounts.Add("my-account", "my-account-description")
err = ic.GenerateSBOM("my-image-1.0.0-sbom.spdx", apko.SPDXVersion3)
if err != nil {
log.Fatal(err)
}
This code creates a new image configuration named “my-image” with version “1.0.0” based on the “alpine:latest” image. It adds an account named “my-account” with a description. It generates an SBOM in SPDX format for the image.
Source: https://github.com/chainguard-dev/apko/blob/main/sbom.go
Options and examples for configuring CI tasks:
- Using a CI tool to build and test images:
A CI tool such as GitHub Actions or CircleCI can be used to build and test images. Here’s an example of a GitHub Actions workflow to build and test an image:
name: Build and Test
on:
push:
branches: [ main ]
jobs:
build-and-test:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build image
run: |
apko build -t my-image:${{ github.sha }}
- name: Test image
run: |
docker run --rm my-image:${{ github.sha }} my-test-command
This workflow builds and tests an image on every push to the “main” branch. It checks out the code, builds the image with apko, and runs a test command in the image.
Source: https://github.com/chainguard-dev/apko/blob/main/.github/workflows/build-and-test.yaml
- Using a CI tool to sign packages:
A CI tool can be used to sign packages with a melange key. Here’s an example of a CircleCI workflow to sign packages:
version: 2.1
jobs:
sign:
docker:
- image: circleci/golang:1.17
steps:
- checkout
- run:
name: Sign packages
command: |
apko sign --key my-key my-package
This workflow signs the “my-package” package with the “my-key” key using apko.
Source: https://github.com/chainguard-dev/apko/blob/main/.circleci/config.yml
- Using a CI tool to generate an SBOM:
A CI tool can be used to generate an SBOM for an image. Here’s an example of a GitHub Actions workflow to generate an SBOM:
name: Generate SBOM
on:
push:
branches: [ main ]
jobs:
generate-sbom:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Generate SBOM
run: |
apko sbom my-image:${{ github.sha }} > my-image-sbom.spdx
This workflow generates an SBOM for the “my-image” image with the current commit SHA using apko.
Source: https://github.com/chainguard-dev/apko/blob/main/.github/workflows/generate-sbom.yaml
