This repo provides a basic template for a Wolfi-based image configured using apko.

After creating your own repo from this template, edit apko.yaml to add or remove whatever packages you need.

The template includes two GitHub Actions workflows:

• run a presubmit build when a pull request is opened
• publish a new image when changes are pushed to main.
  • Images are pushed to ghcr.io/$ORG/$REPO, tagged with the date the image was published (e.g., :20230103).
  • Images are signed using the GitHub Actions' workload identity (cosign verify <image>).
  • Images have an SBOM attached (cosign download sbom <image>).
  • Images are scanned for vulnerabilities using Trivy, and signed vulnerability attestations are attached (cosign download attestation <image>). You can enable scanning with Grype and Snyk as well.
  • Images are also rebuilt nightly to pick up Wolfi package updates.