feat(general): Use Chainguard images

.config/dictionaries/project.dic

@@ -7,6 +7,7 @@ buildkit
 camelcase
 canvaskit
 cardano
+chainguard
 Chromedriver
 chtml
 codegen
@@ -37,12 +38,14 @@ fontawesome
 fontconfig
 fontname
 forcelabels
+freetype
 Geckodriver
 genpkey
 giga
 ginkgolinter
 gitops
 glightbox
+gnutar
 GOCACHE
 gofmt
 goimports
@@ -147,8 +150,14 @@ wasi
 wasip
 wasmtime
 webkitallowfullscreen
+wolfi
 WORKDIR
 xerrors
 xvfb
 zstd
 zstdcat
+libmagic
+lcms
+openjpeg
+libmagic
+iohk

earthly/chainguard/Earthfile

@@ -0,0 +1,54 @@
+VERSION 0.8
+
+# Define a constant name for the container and its version.
+# Temporary I'm not using Harbor as pull-though cache.
+ARG --global CG_IMAGE="cgr.dev/chainguard/wolfi-base"
+
+# Optimally install packages for chainguard
+INSTALL:
+    FUNCTION
+
+    ARG packages
+
+    RUN set -eux; \
+        apk update \
+        && apk add --no-interactive --no-cache $packages \
+        && rm -rf /var/cache/apk/*
+
+# The lates version of Chainguard base Container.
+# Clean with nothing added.
+chainguard-clean:
+    FROM $CG_IMAGE
+
+# The lates version of Chainguard base Container.
+# Normally you want this because it has all the common tools
+# one would expect inside CI.
+common:
+    FROM +chainguard-clean
+
+    # bash is dependence of lcov, use xz instead of xz-utils
+    LET PACKAGES= \
+        git \
+        curl \
+        bash \
+        jq \
+        gpg \
+        lcov \
+        wget \
+        xz \
+        libmagic
+    DO +INSTALL --packages=$PACKAGES
+
+# Checks our Chainguard container is basically usable, and nothing more.
+check-chainguard:
+    FROM +common
+
+    RUN cat /etc/os-release
+
+version-check-Chainguard:
+    FROM +chainguard
+
+    # The idea here is the version check will check if the image its using is the latest image in docker hub.
+    # This would need to be run without cache, and should be a special target.
+    # We need a general solution to help us track our containers and make sure we are aware when they are out of date.
+    RUN exit 1

earthly/chainguard/blueprint.cue

@@ -0,0 +1 @@
+project: name: "ci-chainguard"

earthly/cue/Earthfile

@@ -1,6 +1,7 @@
 VERSION 0.8
 
-IMPORT ../debian AS debian
+# IMPORT ../debian AS debian
+IMPORT ../chainguard AS chainguard
 
 # Define a constant name for the container and its version.
 ARG --global CUE_IMAGE="harbor.shared-services.projectcatalyst.io/dockerhub/cuelang/cue:0.14.1"
@@ -19,7 +20,8 @@ cue-bin:
 
 # Just check that Cue can be properly installed, and runs.
 check-cue:
-    FROM debian+common
+    # FROM debian+common
+    FROM chainguard+common
 
     DO +INSTALL
 

earthly/docs/Earthfile

@@ -1,7 +1,8 @@
 VERSION 0.8
 
 IMPORT ../python AS python-ci
-IMPORT ../debian AS debian
+# IMPORT ../debian AS debian
+IMPORT ../chainguard AS chainguard
 IMPORT ../../utilities/scripts AS scripts
 
 # cspell: words libfreetype liblcms libopenjp etag
@@ -15,21 +16,37 @@ deps:
     # This is all the tooling needed to build the docs.
 
     # Install extra packages we will need to support plugins.
+    # LET PACKAGES= \
+    #     fontconfig \
+    #     libxml2-dev \
+    #     libffi-dev \
+    #     libfreetype6-dev \
+    #     libtiff-dev \
+    #     libssl-dev \
+    #     fonts-liberation \
+    #     libxslt1-dev \
+    #     liblcms2-dev \
+    #     libopenjp2-7-dev \
+    #     tk-dev \
+    #     tcl-dev  \
+    #     make
+    # DO debian+INSTALL --packages=$PACKAGES
+
     LET PACKAGES= \
         fontconfig \
         libxml2-dev \
         libffi-dev \
-        libfreetype6-dev \
-        libtiff-dev \
-        libssl-dev \
-        fonts-liberation \
-        libxslt1-dev \
-        liblcms2-dev \
-        libopenjp2-7-dev \
+        freetype-dev \
+        tiff-dev \
+        openssl-dev \
+        font-liberation \
+        libxslt-dev \
+        lcms2-dev \
+        openjpeg-dev \
         tk-dev \
         tcl-dev  \
         make
-    DO debian+INSTALL --packages=$PACKAGES
+    DO chainguard+INSTALL --packages=$PACKAGES
 
     # Fix up font cache
     RUN fc-cache -f
@@ -114,7 +131,8 @@ PACKAGE:
     FUNCTION
 
     # Use the official Nginx base image
-    FROM harbor.shared-services.projectcatalyst.io/dockerhub/library/nginx:bookworm
+    # FROM harbor.shared-services.projectcatalyst.io/dockerhub/library/nginx:bookworm
+    FROM cgr.dev/chainguard/nginx
 
     # Force this server to disable the browsers cache for these files.
     RUN echo " " > /etc/nginx/conf.d/disable-cache.conf; \

earthly/graphviz/Earthfile

@@ -1,6 +1,7 @@
 VERSION 0.8
 
-IMPORT ../debian AS debian
+# IMPORT ../debian AS debian
+IMPORT ../chainguard AS chainguard
 
 # Define a constant name for the container and its version.
 ARG --global VERSION=13.1.0
@@ -11,17 +12,28 @@ ARG --global URL=https://gitlab.com/api/v4/projects/4207231/packages/generic/gra
 INSTALL:
     FUNCTION
 
+    # LET PACKAGES= \
+    #     build-essential \
+    #     pkg-config \
+    #     libexpat1-dev \
+    #     zlib1g-dev \
+    #     libpng-dev \
+    #     libfreetype-dev \
+    #     librsvg2-dev \
+    #     liblasi-dev \
+    #     wget
+    # DO debian+INSTALL --packages=$PACKAGES
+
     LET PACKAGES= \
-        build-essential \
-        pkg-config \
-        libexpat1-dev \
-        zlib1g-dev \
+        build-base \
+        pkgconf \
+        expat-dev \
+        zlib-dev \
         libpng-dev \
-        libfreetype-dev \
-        librsvg2-dev \
-        liblasi-dev \
+        freetype-dev \
+        librsvg-dev \
         wget
-    DO debian+INSTALL --packages=$PACKAGES
+    DO chainguard+INSTALL --packages=$PACKAGES
 
     RUN mkdir build; \
         cd build; \

earthly/python/Earthfile

@@ -3,31 +3,47 @@ VERSION 0.8
 
 IMPORT ../../utilities/scripts AS scripts
 IMPORT ../../ AS cat-ci
-IMPORT ../debian AS debian
+# IMPORT ../debian AS debian
+IMPORT ../chainguard AS chainguard
 IMPORT ../cue AS cue
 IMPORT ../graphviz AS graphviz
 
 
 # Define a constant name for the container and its version.
-ARG --global PYTHON_IMAGE="harbor.shared-services.projectcatalyst.io/dockerhub/library/python"
+# ARG --global PYTHON_IMAGE="harbor.shared-services.projectcatalyst.io/dockerhub/library/python"
+ARG --global PYTHON_IMAGE="cgr.dev/chainguard/python:latest-dev" 
 
 # cspell: words libjpeg ruff
 
 python-base:
-    FROM ${PYTHON_IMAGE}:3.13-slim-trixie
+    # FROM ${PYTHON_IMAGE}:3.13-slim-trixie
+    FROM $PYTHON_IMAGE
+
+    # https://edu.chainguard.dev/chainguard/migration/migration-guides/migrating-python/#differences-from-the-docker-official-image
+    USER root
 
     # Install necessary packages
+    # LET PACKAGES= \
+    #     bash \
+    #     curl \
+    #     libffi-dev \
+    #     gcc \
+    #     musl-dev \
+    #     zlib1g-dev \
+    #     libjpeg-dev \
+    #     git \
+    #     jq
+    # DO debian+INSTALL --packages=$PACKAGES
     LET PACKAGES= \
         bash \
         curl \
         libffi-dev \
         gcc \
-        musl-dev \
-        zlib1g-dev \
+        zlib-dev \
         libjpeg-dev \
         git \
         jq
-    DO debian+INSTALL --packages=$PACKAGES
+    DO chainguard+INSTALL --packages=$PACKAGES
 
     # Install CUE
     DO cue+INSTALL
@@ -96,7 +112,8 @@ LINT_PYTHON:
     # Where we want to run the `lint` from. Use `.` to check the whole repo.
     ARG src=.
 
-    FROM ${PYTHON_IMAGE}:3.13
+    # FROM ${PYTHON_IMAGE}:3.13
+    FROM $PYTHON_IMAGE
     WORKDIR /work
 
     # Install ruff
@@ -107,6 +124,6 @@ LINT_PYTHON:
 
     RUN diff -Nau ruff.toml ruff.toml.std
 
-    RUN ruff format --check && \
-        ruff check --output-format=github .
+    RUN python3 -m ruff format --check && \
+        python3 -m ruff check --output-format=github .