feat(valkey): add Valkey image with GH workflow (#20)

ixxeL2097 · Frederic Spiers · web-flow · commit 25a8c0ffceac · 2025-10-08T11:18:57.000+02:00
Co-authored-by: Frederic Spiers &lt;frederic.spiers@gitguardian.com&gt;
diff --git a/.github/workflows/valkey.yaml b/.github/workflows/valkey.yaml
@@ -0,0 +1,39 @@
+name: valkey
+
+on:
+  schedule:
+    - cron: "00 01 * * 1-5"
+  pull_request:
+    paths:
+      - .github/workflows/valkey.yaml
+      - 'images/valkey/*.yaml'
+      - 'images/valkey/**/*.yaml'
+  push:
+    branches:
+      - 'main'
+    paths:
+      - .github/workflows/valkey.yaml
+      - 'images/valkey/*.yaml'
+      - 'images/valkey/**/*.yaml'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+  attestations: write
+  id-token: write
+  security-events: write
+  actions: read
+
+jobs:
+  publish:
+    strategy:
+      matrix:
+        version: [latest, "8.1"]
+        variant: [prod, dev]
+    name: ${{ matrix.version }}${{ matrix.variant == 'shell' && '-shell' || matrix.variant == 'dev' && '-dev' || '' }}
+    uses: './.github/workflows/release.yaml'
+    with:
+      tag: ${{ matrix.version }}${{ matrix.variant == 'shell' && '-shell' || matrix.variant == 'dev' && '-dev' || '' }}
+      target: ${{ format('{0}/{1}', matrix.version, matrix.variant) }}
+    secrets: inherit
diff --git a/README.md b/README.md
@@ -40,3 +40,4 @@
 | [redis-bitnami](./images/redis-bitnami/)                       | `docker pull ghcr.io/gitguardian/wolfi/redis-bitnami`            |
 | [shell](./images/shell/)                                       | `docker pull ghcr.io/gitguardian/wolfi/shell`                    |
 | [traefik](./images/traefik/)                                   | `docker pull ghcr.io/gitguardian/wolfi/traefik`                  |
+| [valkey](./images/valkey/)                                     | `docker pull ghcr.io/gitguardian/wolfi/valkey`                   |
diff --git a/images/valkey/8.1/dev.yaml b/images/valkey/8.1/dev.yaml
@@ -0,0 +1,6 @@
+include: images/valkey/dev.yaml
+
+contents:
+  packages:
+    - valkey-8.1
+    - valkey-8.1-cli
diff --git a/images/valkey/8.1/prod.yaml b/images/valkey/8.1/prod.yaml
@@ -0,0 +1,6 @@
+include: images/valkey/prod.yaml
+
+contents:
+  packages:
+    - valkey-8.1
+    - valkey-8.1-cli
diff --git a/images/valkey/README.md b/images/valkey/README.md
@@ -0,0 +1,93 @@
+# Valkey
+
+Minimal Python image based on Wolfi.
+
+## Versions
+
+| 📌 Version  | ⬇️ Pull URL                                  |
+| ---------- | --------------------------------------------- |
+| latest     | ghcr.io/gitguardian/wolfi/valkey:latest       |
+| latest-dev | ghcr.io/gitguardian/wolfi/valkey:latest-dev   |
+| 8.1        | ghcr.io/gitguardian/wolfi/valkey:8.1          |
+| 8.1-dev    | ghcr.io/gitguardian/wolfi/valkey:8.1-dev      |
+
+
+## ✅ Verify the Provenance
+
+```shell
+gh attestation verify \
+  --owner gitguardian \
+  oci://ghcr.io/gitguardian/wolfi/valkey:latest
+```
+
+- **Shell image**
+
+```shell
+gh attestation verify \
+  --owner gitguardian \
+  oci://ghcr.io/gitguardian/wolfi/valkey:latest-shell
+```
+
+## 📦 **Image Verification**
+cosign verify \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \
+  ghcr.io/gitguardian/wolfi/valkey:latest | jq
+```
+
+- **Shell image**
+cosign verify \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \
+  ghcr.io/gitguardian/wolfi/valkey:latest-shell | jq
+```
+
+### 📦 **Image SBOMs**
+  --type=https://spdx.dev/Document \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \
+  ghcr.io/gitguardian/wolfi/valkey:latest
+```
+
+- **Shell image**
+  --type=https://spdx.dev/Document \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \
+  ghcr.io/gitguardian/wolfi/valkey:latest-shell
+```
+
+This will pull in the signature for the attestation specified by the --type parameter, which in this case is the SPDX attestation. You will receive output that verifies the SBOM attestation signature in cosign's transparency log:
+
+```shell
+Verification for ghcr.io/gitguardian/wolfi/valkey:latest --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+Certificate issuer URL: https://token.actions.githubusercontent.com
+GitHub Workflow Trigger: push
+GitHub Workflow SHA: ced6b3cfab1341509de55bff7c0389ce81f73aae
+GitHub Workflow Name: valkey
+GitHub Workflow Repository: GitGuardian/wolfi
+GitHub Workflow Ref: refs/heads/main
+...
+```
+
+#### ✅ Download the Image SBOM Attestations
+
+To download an attestation, use the `cosign` download attestation command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the valkey image on `linux/amd64`:
+
+- **Production image**
+
+```shell
+cosign download attestation \
+  --platform=linux/amd64 \
+  --predicate-type=https://spdx.dev/Document \
+  ghcr.io/gitguardian/wolfi/valkey:latest | jq -r .payload | base64 -d | jq .predicate
+```
+
+- **Shell image**
+cosign download attestation \
+  --platform=linux/amd64 \
+  --predicate-type=https://spdx.dev/Document \
+  ghcr.io/gitguardian/wolfi/valkey:latest-shell | jq -r .payload | base64 -d | jq .predicate
+```
diff --git a/images/valkey/dev.yaml b/images/valkey/dev.yaml
@@ -0,0 +1,12 @@
+include: images/valkey/prod.yaml
+
+contents:
+  packages:
+    - apk-tools
+    - build-base
+    - git
+    - vim
+    - wolfi-keys
+
+accounts:
+  run-as: root
diff --git a/images/valkey/latest/dev.yaml b/images/valkey/latest/dev.yaml
@@ -0,0 +1 @@
+include: images/valkey/8.1/dev.yaml
diff --git a/images/valkey/latest/prod.yaml b/images/valkey/latest/prod.yaml
@@ -0,0 +1 @@
+include: images/valkey/8.1/prod.yaml
diff --git a/images/valkey/prod.yaml b/images/valkey/prod.yaml
@@ -0,0 +1,54 @@
+include: images/apko.yaml
+
+contents:
+  packages:
+    - bash
+    - busybox
+    - ca-certificates-bundle
+    - gosu
+    - curl
+    - wolfi-baselayout
+
+accounts:
+  groups:
+    - groupname: valkey
+      gid: 999
+  users:
+    - username: valkey
+      uid: 999
+      gid: 999
+  run-as: valkey
+
+paths:
+  - path: /var/lib/valkey
+    type: directory
+    permissions: 0o755
+    uid: 999
+    gid: 999
+  - path: /var/lib/valkey/data
+    type: directory
+    permissions: 0o755
+    uid: 999
+    gid: 999
+  - path: /etc/valkey
+    type: directory
+    permissions: 0o755
+    uid: 999
+    gid: 999
+  - path: /var/log/valkey
+    type: directory
+    permissions: 0o755
+    uid: 999
+    gid: 999
+
+work-dir: /var/lib/valkey
+
+entrypoint:
+  command: /usr/bin/docker-entrypoint.sh
+
+cmd: valkey-server /etc/valkey/valkey.conf
+
+annotations:
+  org.opencontainers.image.title: 'Valkey'
+  org.opencontainers.image.description: 'Valkey image based on Wolfi OS'
+  org.opencontainers.image.source: 'https://github.com/GitGuardian/wolfi/tree/main/images/valkey'
