GitGuardian · ixxeL2097 · Oct 7, 2025 · Oct 6, 2025
diff --git a/.github/workflows/pgvector.yaml b/.github/workflows/pgvector.yaml
@@ -0,0 +1,31 @@
+name: pgvector
+
+on:
+  schedule:
+    - cron: "00 01 * * 1-5"
+  pull_request:
+    paths:
+      - .github/workflows/pgvector.yaml
+      - 'images/pgvector/*.yaml'
+      - 'images/pgvector/**/*.yaml'
+  push:
+    branches:
+      - 'main'
+    paths:
+      - .github/workflows/pgvector.yaml
+      - 'images/pgvector/*.yaml'
+      - 'images/pgvector/**/*.yaml'
+  workflow_dispatch:
+
+permissions:
+  publish:
+    strategy:
+      matrix:
+        version: [latest, "17"]
+        variant: [prod, dev]
+    name: ${{ matrix.version }}${{ matrix.variant == 'shell' && '-shell' || matrix.variant == 'dev' && '-dev' || '' }}
+    uses: './.github/workflows/release.yaml'
+    with:
+      tag: ${{ matrix.version }}${{ matrix.variant == 'shell' && '-shell' || matrix.variant == 'dev' && '-dev' || '' }}
+      target: ${{ format('{0}/{1}', matrix.version, matrix.variant) }}
+    secrets: inherit
diff --git a/README.md b/README.md
@@ -27,9 +27,11 @@
 | [ingress-nginx-controller](./images/ingress-nginx-controller/) | `docker pull ghcr.io/gitguardian/wolfi/ingress-nginx-controller` |
 | [istio-proxy](./images/istio-proxy/)                           | `docker pull ghcr.io/gitguardian/wolfi/istio-proxy`              |
 | [loki](./images/loki/)                                         | `docker pull ghcr.io/gitguardian/wolfi/loki`                     |
+| [minio](./images/minio/)                                       | `docker pull ghcr.io/gitguardian/wolfi/minio`                    |
 | [minio-bitnami](./images/minio-bitnami/)                       | `docker pull ghcr.io/gitguardian/wolfi/minio-bitnami`            |
 | [nginx](./images/nginx/)                                       | `docker pull ghcr.io/gitguardian/wolfi/nginx`                    |
 | [node](./images/node/)                                         | `docker pull ghcr.io/gitguardian/wolfi/node`                     |
+| [pgvector](./images/pgvector/)                                 | `docker pull ghcr.io/gitguardian/wolfi/pgvector`                 |
 | [pgvector-bitnami](./images/pgvector-bitnami/)                 | `docker pull ghcr.io/gitguardian/wolfi/pgvector-bitnami`         |
 | [prometheus](./images/prometheus/)                             | `docker pull ghcr.io/gitguardian/wolfi/prometheus`               |
 | [prometheus-adapter](./images/prometheus-adapter/)             | `docker pull ghcr.io/gitguardian/wolfi/prometheus-adapter`       |

diff --git a/images/pgvector/17/dev.yaml b/images/pgvector/17/dev.yaml
@@ -0,0 +1 @@
+include: images/pgvector/dev.yaml
diff --git a/images/pgvector/17/prod.yaml b/images/pgvector/17/prod.yaml
@@ -0,0 +1,8 @@
+include: images/pgvector/prod.yaml
+
+contents:
+  packages:
+    - pgvector-17
+    - postgresql-17
+    - postgresql-17-client
+    - postgresql-17-oci-entrypoint
diff --git a/images/pgvector/README.md b/images/pgvector/README.md
@@ -0,0 +1,92 @@
+# PGVector
+
+Minimal Python image based on Wolfi.
+
+## Versions
+
+| 📌 Version  | ⬇️ Pull URL                                    |
+| ---------- | --------------------------------------------- |
+| latest     | ghcr.io/gitguardian/wolfi/pgvector:latest     |
+| latest-dev | ghcr.io/gitguardian/wolfi/pgvector:latest-dev |
+| 17         | ghcr.io/gitguardian/wolfi/pgvector:17         |
+| 17-dev     | ghcr.io/gitguardian/wolfi/pgvector:17-dev     |
+
+## ✅ Verify the Provenance
+
+```shell
+gh attestation verify \
+  --owner gitguardian \
+  oci://ghcr.io/gitguardian/wolfi/pgvector:latest
+```
+
+- **Shell image**
+
+```shell
+gh attestation verify \
+  --owner gitguardian \
+  oci://ghcr.io/gitguardian/wolfi/pgvector:latest-shell
+```
+
+## 📦 **Image Verification**
+cosign verify \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \
+  ghcr.io/gitguardian/wolfi/pgvector:latest | jq
+```
+
+- **Shell image**
+cosign verify \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \
+  ghcr.io/gitguardian/wolfi/pgvector:latest-shell | jq
+```
+
+### 📦 **Image SBOMs**
+  --type=https://spdx.dev/Document \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \
+  ghcr.io/gitguardian/wolfi/pgvector:latest
+```
+
+- **Shell image**
+  --type=https://spdx.dev/Document \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  --certificate-identity=https://github.com/GitGuardian/wolfi/.github/workflows/release.yaml@refs/heads/main \
+  ghcr.io/gitguardian/wolfi/pgvector:latest-shell
+```
+
+This will pull in the signature for the attestation specified by the --type parameter, which in this case is the SPDX attestation. You will receive output that verifies the SBOM attestation signature in cosign's transparency log:
+
+```shell
+Verification for ghcr.io/gitguardian/wolfi/pgvector:latest --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+Certificate issuer URL: https://token.actions.githubusercontent.com
+GitHub Workflow Trigger: push
+GitHub Workflow SHA: ced6b3cfab1341509de55bff7c0389ce81f73aae
+GitHub Workflow Name: pgvector
+GitHub Workflow Repository: GitGuardian/wolfi
+GitHub Workflow Ref: refs/heads/main
+...
+```
+
+#### ✅ Download the Image SBOM Attestations
+
+To download an attestation, use the `cosign` download attestation command and provide both the predicate type and the build platform. For example, the following command will obtain the SBOM for the pgvector image on `linux/amd64`:
+
+- **Production image**
+
+```shell
+cosign download attestation \
+  --platform=linux/amd64 \
+  --predicate-type=https://spdx.dev/Document \
+  ghcr.io/gitguardian/wolfi/pgvector:latest | jq -r .payload | base64 -d | jq .predicate
+```
+
+- **Shell image**
+cosign download attestation \
+  --platform=linux/amd64 \
+  --predicate-type=https://spdx.dev/Document \
+  ghcr.io/gitguardian/wolfi/pgvector:latest-shell | jq -r .payload | base64 -d | jq .predicate
+```
diff --git a/images/pgvector/dev.yaml b/images/pgvector/dev.yaml
@@ -0,0 +1,13 @@
+include: images/pgvector/prod.yaml
+
+contents:
+  packages:
+    - apk-tools
+    - build-base
+    - curl
+    - git
+    - vim
+    - wolfi-keys
+
+accounts:
+  run-as: root
diff --git a/images/pgvector/latest/dev.yaml b/images/pgvector/latest/dev.yaml
@@ -0,0 +1 @@
+include: images/pgvector/17/dev.yaml
diff --git a/images/pgvector/latest/prod.yaml b/images/pgvector/latest/prod.yaml
@@ -0,0 +1 @@
+include: images/pgvector/17/prod.yaml
diff --git a/images/pgvector/prod.yaml b/images/pgvector/prod.yaml
@@ -0,0 +1,54 @@
+include: images/apko.yaml
+
+contents:
+  packages:
+    - bash
+    - busybox
+    - ca-certificates-bundle
+    - glibc-locale-en
+    - glibc-locale-posix
+    - gosu
+    - icu-libs
+    - libxslt
+    - wolfi-baselayout
+
+accounts:
+  groups:
+    - groupname: postgres
+      gid: 65532
+  users:
+    - username: postgres
+      uid: 65532
+      gid: 65532
+  run-as: root
+
+paths:
+  - path: /var/lib/postgresql
+    type: directory
+    permissions: 0o770
+    uid: 65532
+    gid: 0
+  - path: /var/lib/postgresql/data
+    type: directory
+    permissions: 0o770
+    uid: 65532
+    gid: 0
+  - path: /var/run/postgresql
+    type: directory
+    permissions: 0o775
+    uid: 65532
+    gid: 0
+
+work-dir: /home/postgres
+
+environment:
+  LANG: en_US.UTF-8
+  PGDATA: /var/lib/postgresql/data
+
+entrypoint:
+  command: /usr/bin/docker-entrypoint.sh postgres
+
+annotations:
+  org.opencontainers.image.title: 'pgvector'
+  org.opencontainers.image.description: 'PGVector image based on Wolfi OS'
+  org.opencontainers.image.source: 'https://github.com/GitGuardian/wolfi/tree/main/images/pgvector'