diff --git a/.github/workflows/pgvector.yaml b/.github/workflows/pgvector.yaml new file mode 100644 index 0000000..73f3501 --- /dev/null +++ b/.github/workflows/pgvector.yaml @@ -0,0 +1,31 @@ +name: pgvector + +on: + schedule: + - cron: "00 01 * * 1-5" + pull_request: + paths: + - .github/workflows/pgvector.yaml + - 'images/pgvector/*.yaml' + - 'images/pgvector/**/*.yaml' + push: + branches: + - 'main' + paths: + - .github/workflows/pgvector.yaml + - 'images/pgvector/*.yaml' + - 'images/pgvector/**/*.yaml' + workflow_dispatch: + +permissions: + publish: + strategy: + matrix: + version: [latest, "17"] + variant: [prod, dev] + name: ${{ matrix.version }}${{ matrix.variant == 'shell' && '-shell' || matrix.variant == 'dev' && '-dev' || '' }} + uses: './.github/workflows/release.yaml' + with: + tag: ${{ matrix.version }}${{ matrix.variant == 'shell' && '-shell' || matrix.variant == 'dev' && '-dev' || '' }} + target: ${{ format('{0}/{1}', matrix.version, matrix.variant) }} + secrets: inherit diff --git a/README.md b/README.md index 4ea3abf..6673458 100644 --- a/README.md +++ b/README.md @@ -27,9 +27,11 @@ | [ingress-nginx-controller](./images/ingress-nginx-controller/) | `docker pull ghcr.io/gitguardian/wolfi/ingress-nginx-controller` | | [istio-proxy](./images/istio-proxy/) | `docker pull ghcr.io/gitguardian/wolfi/istio-proxy` | | [loki](./images/loki/) | `docker pull ghcr.io/gitguardian/wolfi/loki` | +| [minio](./images/minio/) | `docker pull ghcr.io/gitguardian/wolfi/minio` | | [minio-bitnami](./images/minio-bitnami/) | `docker pull ghcr.io/gitguardian/wolfi/minio-bitnami` | | [nginx](./images/nginx/) | `docker pull ghcr.io/gitguardian/wolfi/nginx` | | [node](./images/node/) | `docker pull ghcr.io/gitguardian/wolfi/node` | +| [pgvector](./images/pgvector/) | `docker pull ghcr.io/gitguardian/wolfi/pgvector` | | [pgvector-bitnami](./images/pgvector-bitnami/) | `docker pull ghcr.io/gitguardian/wolfi/pgvector-bitnami` | | [prometheus](./images/prometheus/) | `docker pull ghcr.io/gitguardian/wolfi/prometheus` | | [prometheus-adapter](./images/prometheus-adapter/) | `docker pull ghcr.io/gitguardian/wolfi/prometheus-adapter` | diff --git a/images/pgvector/17/dev.yaml b/images/pgvector/17/dev.yaml new file mode 100644 index 0000000..a88d76e --- /dev/null +++ b/images/pgvector/17/dev.yaml @@ -0,0 +1 @@ +include: images/pgvector/dev.yaml diff --git a/images/pgvector/17/prod.yaml b/images/pgvector/17/prod.yaml new file mode 100644 index 0000000..ee0635f --- /dev/null +++ b/images/pgvector/17/prod.yaml @@ -0,0 +1,8 @@ +include: images/pgvector/prod.yaml + +contents: + packages: + - pgvector-17 + - postgresql-17 + - postgresql-17-client + - postgresql-17-oci-entrypoint diff --git a/images/pgvector/README.md b/images/pgvector/README.md new file mode 100644 index 0000000..b9797d1 --- /dev/null +++ b/images/pgvector/README.md @@ -0,0 +1,92 @@ +# PGVector + +Minimal Python image based on Wolfi. + +## Versions + +| 📌 Version | ⬇️ Pull URL | +| ---------- | --------------------------------------------- | +| latest | ghcr.io/gitguardian/wolfi/pgvector:latest | +| latest-dev | ghcr.io/gitguardian/wolfi/pgvector:latest-dev | +| 17 | ghcr.io/gitguardian/wolfi/pgvector:17 | +| 17-dev | ghcr.io/gitguardian/wolfi/pgvector:17-dev | + +## ✅ Verify the Provenance + +```shell +gh attestation verify \ + --owner gitguardian \ + oci://ghcr.io/gitguardian/wolfi/pgvector:latest +``` + +- **Shell image** + +```shell +gh attestation verify \ + --owner gitguardian \ + oci://ghcr.io/gitguardian/wolfi/pgvector:latest-shell +``` + +## 📦 **Image Verification** +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \ + ghcr.io/gitguardian/wolfi/pgvector:latest | jq +``` + +- **Shell image** +cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \ + ghcr.io/gitguardian/wolfi/pgvector:latest-shell | jq +``` + +### 📦 **Image SBOMs** + --type=https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \ + ghcr.io/gitguardian/wolfi/pgvector:latest +``` + +- **Shell image** + --type=https://spdx.dev/Document \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \ + ghcr.io/gitguardian/wolfi/pgvector:latest-shell +``` + +This will pull in the signature for the attestation specified by the --type parameter, which in this case is the SPDX attestation. You will receive output that verifies the SBOM attestation signature in cosign's transparency log: + +```shell +Verification for ghcr.io/gitguardian/wolfi/pgvector:latest -- +The following checks were performed on each of these signatures: + - The cosign claims were validated + - Existence of the claims in the transparency log was verified offline +Certificate issuer URL: https://token.actions.githubusercontent.com +GitHub Workflow Trigger: push +GitHub Workflow SHA: ced6b3cfab1341509de55bff7c0389ce81f73aae +GitHub Workflow Name: pgvector +GitHub Workflow Repository: GitGuardian/wolfi +GitHub Workflow Ref: refs/heads/main +... +``` + +#### ✅ Download the Image SBOM Attestations + +To download an attestation, use the `cosign` download attestation command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the pgvector image on `linux/amd64`: + +- **Production image** + +```shell +cosign download attestation \ + --platform=linux/amd64 \ + --predicate-type=https://spdx.dev/Document \ + ghcr.io/gitguardian/wolfi/pgvector:latest | jq -r .payload | base64 -d | jq .predicate +``` + +- **Shell image** +cosign download attestation \ + --platform=linux/amd64 \ + --predicate-type=https://spdx.dev/Document \ + ghcr.io/gitguardian/wolfi/pgvector:latest-shell | jq -r .payload | base64 -d | jq .predicate +``` diff --git a/images/pgvector/dev.yaml b/images/pgvector/dev.yaml new file mode 100644 index 0000000..68a2368 --- /dev/null +++ b/images/pgvector/dev.yaml @@ -0,0 +1,13 @@ +include: images/pgvector/prod.yaml + +contents: + packages: + - apk-tools + - build-base + - curl + - git + - vim + - wolfi-keys + +accounts: + run-as: root diff --git a/images/pgvector/latest/dev.yaml b/images/pgvector/latest/dev.yaml new file mode 100644 index 0000000..a51b8b3 --- /dev/null +++ b/images/pgvector/latest/dev.yaml @@ -0,0 +1 @@ +include: images/pgvector/17/dev.yaml diff --git a/images/pgvector/latest/prod.yaml b/images/pgvector/latest/prod.yaml new file mode 100644 index 0000000..372d86b --- /dev/null +++ b/images/pgvector/latest/prod.yaml @@ -0,0 +1 @@ +include: images/pgvector/17/prod.yaml diff --git a/images/pgvector/prod.yaml b/images/pgvector/prod.yaml new file mode 100644 index 0000000..a413044 --- /dev/null +++ b/images/pgvector/prod.yaml @@ -0,0 +1,54 @@ +include: images/apko.yaml + +contents: + packages: + - bash + - busybox + - ca-certificates-bundle + - glibc-locale-en + - glibc-locale-posix + - gosu + - icu-libs + - libxslt + - wolfi-baselayout + +accounts: + groups: + - groupname: postgres + gid: 65532 + users: + - username: postgres + uid: 65532 + gid: 65532 + run-as: root + +paths: + - path: /var/lib/postgresql + type: directory + permissions: 0o770 + uid: 65532 + gid: 0 + - path: /var/lib/postgresql/data + type: directory + permissions: 0o770 + uid: 65532 + gid: 0 + - path: /var/run/postgresql + type: directory + permissions: 0o775 + uid: 65532 + gid: 0 + +work-dir: /home/postgres + +environment: + LANG: en_US.UTF-8 + PGDATA: /var/lib/postgresql/data + +entrypoint: + command: /usr/bin/docker-entrypoint.sh postgres + +annotations: + org.opencontainers.image.title: 'pgvector' + org.opencontainers.image.description: 'PGVector image based on Wolfi OS' + org.opencontainers.image.source: 'https://github.com/GitGuardian/wolfi/tree/main/images/pgvector'