Skip to content

Add builds for debian13 static, base, base-nossl #1850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bobcallaway merged 1 commit into from
Oct 8, 2025
Merged

Add builds for debian13 static, base, base-nossl #1850

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions BUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
load("//:checksums.bzl", "ARCHITECTURES", "BASE_ARCHITECTURES")
load("//base:distro.bzl", "DISTROS")
load("//base:distro.bzl", "DISTROS", "PREVIEW_DISTROS")
load("//private/oci:defs.bzl", "sign_and_push_all")
load("//nodejs:node_arch.bzl", "node_arch")

Expand Down Expand Up @@ -31,14 +31,14 @@ STATIC |= {
"{REGISTRY}/{PROJECT_ID}/static-" + distro + ":" + tag_base + "-" + arch: "//base:" + label + "_" + user + "_" + arch + "_" + distro
for arch in ARCHITECTURES
for (tag_base, label, user) in STATIC_VARIANTS
for distro in DISTROS
for distro in DISTROS + PREVIEW_DISTROS
}

# oci_image_index
STATIC |= {
"{REGISTRY}/{PROJECT_ID}/static-" + distro + ":" + tag_base: "//base:" + label + "_" + user + "_" + distro
for (tag_base, label, user) in STATIC_VARIANTS
for distro in DISTROS
for distro in DISTROS + PREVIEW_DISTROS
}

## BASE
Expand All @@ -65,14 +65,14 @@ BASE |= {
"{REGISTRY}/{PROJECT_ID}/base-" + distro + ":" + tag_base + "-" + arch: "//base:" + label + "_" + user + "_" + arch + "_" + distro
for arch in ARCHITECTURES
for (tag_base, label, user) in BASE_VARIANTS
for distro in DISTROS
for distro in DISTROS + PREVIEW_DISTROS
}

# oci_image_index
BASE |= {
"{REGISTRY}/{PROJECT_ID}/base-" + distro + ":" + tag_base: "//base:" + label + "_" + user + "_" + distro
for (tag_base, label, user) in BASE_VARIANTS
for distro in DISTROS
for distro in DISTROS + PREVIEW_DISTROS
}

## BASE NOSSL
Expand All @@ -99,14 +99,14 @@ BASE_NOSSL |= {
"{REGISTRY}/{PROJECT_ID}/base-nossl-" + distro + ":" + tag_base + "-" + arch: "//base:" + label + "_" + user + "_" + arch + "_" + distro
for arch in ARCHITECTURES
for (tag_base, label, user) in BASE_NOSSL_VARIANTS
for distro in DISTROS
for distro in DISTROS + PREVIEW_DISTROS
}

# oci_image_index
BASE_NOSSL |= {
"{REGISTRY}/{PROJECT_ID}/base-nossl-" + distro + ":" + tag_base: "//base:" + label + "_" + user + "_" + distro
for (tag_base, label, user) in BASE_NOSSL_VARIANTS
for distro in DISTROS
for distro in DISTROS + PREVIEW_DISTROS
}

## CC
Expand Down
12 changes: 11 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,16 @@ These images refer to image indexes with references to all supported architectur

Any other tags are considered deprecated and are no longer updated

#### Debian 13 Preview

These images are not considered stable and may change in subtle ways that break your application. They are made available to allow testing of your systems before upgrading. We will stabilize these in the near future at which point you should revalidate with the latest releases.

| Image | Tags | Architecture Suffixes |
| ------------------------------------- | ------------------------------------- | --------------------------------- |
| gcr.io/distroless/static-debian13 | latest, nonroot, debug, debug-nonroot | amd64, arm64, arm, s390x, ppc64le |
| gcr.io/distroless/base-debian13 | latest, nonroot, debug, debug-nonroot | amd64, arm64, arm, s390x, ppc64le |
| gcr.io/distroless/base-nossl-debian13 | latest, nonroot, debug, debug-nonroot | amd64, arm64, arm, s390x, ppc64le |

## Why is distroless still using gcr.io instead of pkg.dev?

Distroless's serving infrastructure has moved to artifact registry but we still use the gcr.io domain. Users will get the benefits of the newer infrastructure without changing their builds.
Expand All @@ -58,7 +68,7 @@ All distroless images are signed by [cosign](https://github.com/sigstore/cosign)
We recommend verifying any distroless image you use before building your image. You can verify the keyless signature of any distroless image with:

```sh
cosign verify $IMAGE_NAME --certificate-oidc-issuer https://accounts.google.com --certificate-identity [email protected]
cosign verify $IMAGE_NAME --certificate-oidc-issuer https://accounts.google.com --certificate-identity [email protected]
```

### Entrypoints
Expand Down
5 changes: 2 additions & 3 deletions private/repos/deb/deb.MODULE.bazel
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,8 @@ apt = use_extension("@rules_distroless//apt:extensions.bzl", "apt")
manifest = "//private/repos/deb:{}.yaml".format(repo),
package_template = "//private/repos/deb:package.BUILD.tmpl",
resolve_transitive = False,
### TODO: trixie should add merged-usr support. It's added to rules_distroless but not released yet.
### Once released, bump the version and enable the following line.
# mergedusr = repo == "trixie",
## merged usr fs is only enabled on debian13+, remove this line once we remove debian12 builds
mergedusr = repo == "trixie",
)
for repo in REPOS
]
Expand Down
Loading