initial commit

Signed-off-by: Akihiro Suda <[email protected]>

.github/workflows/main.yaml

@@ -0,0 +1,38 @@
+---
+name: Build
+on:
+  push:
+    branches:
+    - master
+    - 'release/**'
+  pull_request:
+jobs:
+  example:
+    runs-on: ubuntu-22.04
+    timeout-minutes: 10
+    strategy:
+      fail-fast: false
+      matrix:
+        dockerfile:
+          - "Dockerfile.archlinux"
+          - "Dockerfile.alpine"
+          - "Dockerfile.debian"
+          - "Dockerfile.fedora"
+          - "Dockerfile.opensuse"
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v2
+      - uses: docker/metadata-action@v4
+        id: meta
+        with:
+          images: example
+      - name: Build and push
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          file: ${{ matrix.dockerfile }}
+          push: false
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

Dockerfile.alpine

@@ -0,0 +1,30 @@
+ARG PACKAGES="gcc neofetch"
+
+# PKG_CACHE defaults to the "pkg-cache-local" stage in this image.
+# Can be overridden to a custom image for reproducible builds.
+ARG PKG_CACHE=pkg-cache-local
+
+ARG BASE=alpine:3.18.3@sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a
+
+FROM ${BASE} AS base
+
+FROM base AS pkg-cache-local-base
+ARG PACKAGES
+RUN mkdir -p /etc/apk/cache && \
+  apk update && \
+  apk cache download --available --add-dependencies ${PACKAGES}
+
+FROM scratch AS pkg-cache-local
+COPY --from=pkg-cache-local-base /etc/apk/cache /etc/apk/cache
+
+# pkg-cache is the stage to collect package cache files.
+# This stage can be pushed for the sake of reproducible builds.
+FROM ${PKG_CACHE} AS pkg-cache
+
+FROM base
+ARG PACKAGES
+RUN \
+  --mount=from=pkg-cache,source=/etc/apk/cache,target=/etc/apk/cache,rw \
+  --network=none \
+  apk add --no-network ${PACKAGES}
+# The package signatures are verified by apk

Dockerfile.archlinux

@@ -0,0 +1,46 @@
+ARG PACKAGES="gcc neofetch"
+
+# PKG_CACHE defaults to the "pkg-cache-local" stage in this image.
+# Can be overridden to a custom image for reproducible builds.
+ARG PKG_CACHE=pkg-cache-local
+
+ARG BASE=archlinux:base-20230910.0.177821
+
+FROM ${BASE} AS base
+
+FROM base AS pkg-cache-local-base
+ARG PACKAGES
+RUN pacman -S --noconfirm --refresh --downloadonly ${PACKAGES}
+
+FROM scratch AS pkg-cache-local
+COPY --from=pkg-cache-local-base /var/cache/pacman /var/cache/pacman
+COPY --from=pkg-cache-local-base /var/lib/pacman/sync /var/lib/pacman/sync
+
+# pkg-cache is the stage to collect package cache files.
+# This stage can be pushed for the sake of reproducible builds.
+FROM ${PKG_CACHE} AS pkg-cache
+
+FROM base
+ADD --chmod=0755 <<-"EOT" /usr/local/bin/verify-var-lib-apt-lists.sh
+#!/bin/bash
+set -eux -o pipefail
+for pkg in /var/cache/pacman/pkg/*.tar.zst; do
+  pacman-key --verify "${pkg}.sig"
+done
+EOT
+ARG PACKAGES
+RUN \
+  --mount=from=pkg-cache,source=/var/cache/pacman,target=/var/cache/pacman,rw \
+  --mount=from=pkg-cache,source=/var/lib/pacman/sync,target=/var/lib/pacman/sync,rw \
+  --network=none \
+  verify-var-lib-apt-lists.sh && \
+  pacman -S --noconfirm ${PACKAGES}
+# WARNING: the repository signatures (`/var/cache/pacman/pkg/*.sig`)
+# are only verified on running downloading packages.
+# The signatures are just ignored on installing the packages from the cache.
+#
+# As a workaround, the signatures are verified with the `verify-var-lib-apt-lists.sh`
+# script above, however, this script might not be as robust as `pacman -Sy`.
+#
+# For ArchLinux, consider using https://github.com/reproducible-containers/repro-sources-list.sh
+# instead.

Dockerfile.debian

@@ -0,0 +1,64 @@
+ARG PACKAGES="gcc neofetch"
+
+# PKG_CACHE defaults to the "pkg-cache-local" stage in this image.
+# Can be overridden to a custom image for reproducible builds.
+ARG PKG_CACHE=pkg-cache-local
+
+# The base image can be Ubuntu too.
+ARG BASE=debian:bookworm-20230904-slim
+
+FROM ${BASE} AS base
+
+FROM base AS pkg-cache-local-base
+ARG PACKAGES
+ENV DEBIAN_FRONTEND=noninteractive
+RUN rm -f /etc/apt/apt.conf.d/docker-clean && \
+  echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' >/etc/apt/apt.conf.d/keep-cache && \
+  apt-get update && \
+  apt-get install -y --download-only ${PACKAGES}
+
+FROM scratch AS pkg-cache-local
+COPY --from=pkg-cache-local-base /var/cache/apt /var/cache/apt
+COPY --from=pkg-cache-local-base /var/lib/apt /var/lib/apt
+
+# pkg-cache is the stage to collect package cache files.
+# This stage can be pushed for the sake of reproducible builds.
+FROM ${PKG_CACHE} AS pkg-cache
+
+FROM base
+ADD --chmod=0755 <<-"EOT" /usr/local/bin/verify-var-lib-apt-lists.sh
+#!/bin/bash
+set -eux -o pipefail
+for ir in /var/lib/apt/lists/*InRelease; do
+  verified=0
+  for keyring in /usr/share/keyrings/*.gpg; do
+    if gpgv --keyring "${keyring}" "${ir}"; then
+      verified=1
+      break
+    fi
+    done
+    if [ "${verified}" != "1" ]; then
+      echo >&2 "Failed to verify ${ir}"
+      exit 1
+    fi
+  echo "Verified: gpgv --keyring ${keyring} ${ir}"
+done
+EOT
+ENV DEBIAN_FRONTEND=noninteractive
+ARG PACKAGES
+RUN \
+  --mount=from=pkg-cache,source=/var/cache/apt,target=/var/cache/apt,rw \
+  --mount=from=pkg-cache,source=/var/lib/apt,target=/var/lib/apt,rw \
+  --network=none \
+  verify-var-lib-apt-lists.sh && \
+  apt-get install -y --no-download ${PACKAGES}
+
+# WARNING: the repository signatures (`/var/lib/apt/lists/*InRelease`)
+# are only verified on running `apt-get update`.
+# The signatures are just ignored on running `apt-get install --no-download`.
+#
+# As a workaround, the signatures are verified with the `verify-var-lib-apt-lists.sh`
+# script above, however, this script might not be as robust as `apt-get update`.
+#
+# For Debian and Ubuntu, consider using https://github.com/reproducible-containers/repro-sources-list.sh
+# instead.

Dockerfile.fedora

@@ -0,0 +1,29 @@
+ARG PACKAGES="gcc neofetch"
+
+# PKG_CACHE defaults to the "pkg-cache-local" stage in this image.
+# Can be overridden to a custom image for reproducible builds.
+ARG PKG_CACHE=pkg-cache-local
+
+# The base image can be CentOS Stream, Rocky Linux, and AlmaLinux too.
+ARG BASE=fedora:38@sha256:6fc00f83a1b6526b1c6562e30f552d109ba8e269259c6742a26efab1b7aef59e
+
+FROM ${BASE} AS base
+
+FROM base AS pkg-cache-local-base
+ARG PACKAGES
+RUN dnf install -y --downloadonly ${PACKAGES}
+
+FROM scratch AS pkg-cache-local
+COPY --from=pkg-cache-local-base /var/cache/dnf /var/cache/dnf
+
+# pkg-cache is the stage to collect package cache files.
+# This stage can be pushed for the sake of reproducible builds.
+FROM ${PKG_CACHE} AS pkg-cache
+
+FROM base
+ARG PACKAGES
+RUN \
+  --mount=from=pkg-cache,source=/var/cache/dnf,target=/var/cache/dnf,rw \
+  --network=none \
+  dnf install -y --cacheonly ${PACKAGES}
+# The package signatures are verified by rpm

Dockerfile.opensuse

@@ -0,0 +1,28 @@
+ARG PACKAGES="gcc neofetch"
+
+# PKG_CACHE defaults to the "pkg-cache-local" stage in this image.
+# Can be overridden to a custom image for reproducible builds.
+ARG PKG_CACHE=pkg-cache-local
+
+ARG BASE=opensuse/leap:15.5@sha256:987224e4850af16eef9c89dee43c7bfbbe3b197f8abaf926aec8ad2043b5b577
+
+FROM ${BASE} AS base
+
+FROM base AS pkg-cache-local-base
+ARG PACKAGES
+RUN zypper install -y --download-only ${PACKAGES}
+
+FROM scratch AS pkg-cache-local
+COPY --from=pkg-cache-local-base /var/cache/zypp /var/cache/zypp
+
+# pkg-cache is the stage to collect package cache files.
+# This stage can be pushed for the sake of reproducible builds.
+FROM ${PKG_CACHE} AS pkg-cache
+
+FROM base
+ARG PACKAGES
+RUN \
+  --mount=from=pkg-cache,source=/var/cache/zypp,target=/var/cache/zypp,rw \
+  --network=none \
+  zypper --no-refresh install -y ${PACKAGES}
+# The package signatures are verified by zypper