fork

.editorconfig

@@ -0,0 +1,7 @@
+root = true
+[*]
+indent_style = space
+end_of_line = lf
+charset = utf-8
+[Makefile]
+indent_style = tab

.gitignore

@@ -0,0 +1,2 @@
+build
+output

.gitlab-ci.yml

@@ -0,0 +1,368 @@
+default:
+  image: "archlinux/archlinux:latest"
+
+stages:
+  - cleanup
+  - lint
+  - rootfs
+  - image
+  - test
+  - pre-release
+  - release
+  - publish
+
+cleanup:
+  stage: cleanup
+  tags:
+    - secure
+    - docker
+  only:
+    refs:
+      - schedules@archlinux/archlinux-docker
+    variables:
+      - $CLEANUP_PACKAGE_REGISTRY == "TRUE"
+  before_script:
+    - pacman -Syu --noconfirm jq
+  script:
+    - |
+      for id in $(curl --silent --fail --show-error "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages?per_page=100&order_by=created_at&sort=asc" | jq '.[] | select(.created_at | split("T")[0] | . < (now-60*60*24*60|strflocaltime("%Y-%m-%d"))) | .id'); do
+        curl --silent --fail --show-error --request DELETE --header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/${id}"
+      done
+
+lint:
+  stage: lint
+  image: hadolint/hadolint:latest-alpine
+  # DL3018: We don't need apk version pins, we use the bleeding edge
+  script: hadolint --ignore DL3018 Dockerfile.template
+  except:
+    - releases
+    - tags
+
+# This is an implicit gitlab stage, with the build.env variables used by either
+# other stages or auxiliarry scripts.
+get_version:
+  stage: .pre
+  script:
+    - |
+      # If we're building a tagged release, use the tag (without the 'v' prefix) as the
+      # BUILD_VERSION. Otherwise, determine a new BUILD_VERSION.
+      if [[ -n "$CI_COMMIT_TAG" ]]; then
+        echo "BUILD_VERSION=${CI_COMMIT_TAG/v/}" > build.env
+      else
+        echo "BUILD_VERSION=$(date +%Y%m%d).0.$CI_JOB_ID" > build.env
+      fi
+    - export $(< build.env)
+    - echo "PACKAGE_REGISTRY_URL=${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/rootfs/${BUILD_VERSION}" >> build.env
+  artifacts:
+    reports:
+      dotenv: build.env
+
+.rootfs:
+  stage: rootfs
+  parallel:
+    matrix:
+      - GROUP: [base, base-devel, multilib-devel]
+  before_script:
+    - pacman -Syu --noconfirm git make fakechroot fakeroot
+    - pacman -Sdd --noconfirm devtools
+  script:
+    - make $PWD/output/Dockerfile.$GROUP
+  artifacts:
+    paths:
+      - output/*
+    exclude:
+      - output/*.tar
+    expire_in: 2h
+
+rootfs:
+  extends: .rootfs
+  except:
+    - master@archlinux/archlinux-docker
+    - releases@archlinux/archlinux-docker
+    - schedules@archlinux/archlinux-docker
+    - tags@archlinux/archlinux-docker
+
+rootfs:secure:
+  extends: .rootfs
+  tags:
+    - secure
+    - docker
+  only:
+    - master@archlinux/archlinux-docker
+    - schedules@archlinux/archlinux-docker
+  except:
+    - tags
+    - releases
+
+.image:
+  stage: image
+  parallel:
+    matrix:
+      - GROUP: [base, base-devel, multilib-devel]
+  tags:
+    - vm
+  id_tokens:
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
+  script:
+    - podman build
+        -f "$CI_PROJECT_DIR/output/Dockerfile.$GROUP"
+        -t "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG"
+        "$CI_PROJECT_DIR/output"
+    - podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG"
+
+image:build:
+  extends: .image
+  except:
+    - master@archlinux/archlinux-docker
+    - releases
+    - schedules@archlinux/archlinux-docker
+    - tags
+  before_script:
+    - pacman -Syu --noconfirm podman
+    - podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
+    - 'echo -e "default-docker:\n  use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml'
+
+image:build:secure:
+  extends: .image
+  tags:
+    - secure
+    - vm
+  only:
+    - master@archlinux/archlinux-docker
+    - schedules@archlinux/archlinux-docker
+  except:
+    - tags
+  before_script:
+    - pacman -Syu --noconfirm podman
+    - podman login -u "$GITLAB_PROJECT_USER" -p "$GITLAB_PROJECT_TOKEN" "$CI_REGISTRY"
+    - 'echo -e "default-docker:\n  use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml'
+
+# Build and publish to the Arch Linux group namespaces:
+# https://hub.docker.com/r/archlinux/archlinux
+# https://quay.io/repository/archlinux/archlinux
+image:publish:secure:
+  extends: .image
+  retry: 2
+  tags:
+    - secure
+    - vm
+  only:
+    - tags@archlinux/archlinux-docker
+  before_script:
+    - pacman -Syu --noconfirm podman
+    - podman login -u "$DOCKERHUB_USERNAME" -p "$DOCKERHUB_ACCESS_TOKEN" "docker.io"
+    - podman login -u "$QUAY_USERNAME" -p "$QUAY_PASSWORD" "quay.io"
+    - podman login -u "$GHCR_USERNAME" -p "$GHCR_PASSWORD" "ghcr.io"
+    - 'echo -e "default-docker:\n  use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml'
+  script:
+    - podman build
+        -f "$CI_PROJECT_DIR/Dockerfile.$GROUP"
+        -t "archlinux:$GROUP-$BUILD_VERSION"
+        "$CI_PROJECT_DIR"
+    - |
+      for host in "docker.io" "quay.io" "ghcr.io"; do
+        podman tag "archlinux:$GROUP-$BUILD_VERSION" "$host/archlinux/archlinux:$GROUP"
+        podman tag "archlinux:$GROUP-$BUILD_VERSION" "$host/archlinux/archlinux:$GROUP-$BUILD_VERSION"
+        podman push "$host/archlinux/archlinux:$GROUP"
+        podman push --sign-by-sigstore=<(sed "s/TEMPLATE_OIDC_ID_TOKEN/${SIGSTORE_ID_TOKEN}/" sigstore-param-file.yaml) "$host/archlinux/archlinux:$GROUP-$BUILD_VERSION"
+
+        if [[ "$GROUP" == "base" ]]; then
+          podman tag "archlinux:$GROUP-$BUILD_VERSION" "$host/archlinux/archlinux:latest"
+          podman push "$host/archlinux/archlinux:latest"
+        fi
+      done
+
+
+.test:
+  stage: test
+  dependencies: []
+  except:
+    refs:
+      - releases
+      - tags
+
+.test-script: &test-script
+  - test "$(cat /etc/group | wc -l)" -gt 10
+  - test "$(cat /etc/passwd | wc -l)" -gt 10
+  - pacman -Sy
+  - pacman -Qqk
+  - pacman -Syu --noconfirm podman grep
+  - podman -v
+  - id -u http
+  - locale | grep -q UTF-8
+
+test:base:
+  extends: .test
+  image: $CI_REGISTRY_IMAGE:base-$CI_COMMIT_REF_SLUG
+  script:
+    - *test-script
+
+test:base-devel:
+  extends: .test
+  image: $CI_REGISTRY_IMAGE:base-devel-$CI_COMMIT_REF_SLUG
+  script:
+    - *test-script
+    - gcc -v
+    - g++ -v
+    - make -v
+    - test -u /usr/bin/sudo   # issue 70
+    - test -u /usr/bin/passwd
+
+pre-release:
+  stage: pre-release
+  image: registry.gitlab.com/gitlab-org/release-cli:latest
+  tags:
+    - secure
+    - docker
+  only:
+    refs:
+      - schedules@archlinux/archlinux-docker
+    variables:
+      - $PUBLISH_ARCHLINUX_REPOSITORY == "TRUE"
+      - $PUBLISH_OFFICIAL_LIBRARY == "TRUE"
+  before_script:
+    - apk update
+    - apk add jq curl httpie bash
+  script:
+    - |
+      echo "Update the description of our daily DockerHub repository at https://hub.docker.com/r/archlinux/archlinux"
+      TOKEN="$(http --ignore-stdin POST https://hub.docker.com/v2/users/login username="${DOCKERHUB_USERNAME}" password="${DOCKERHUB_PASSWORD}" | jq -er .token)"
+      http --ignore-stdin PATCH https://hub.docker.com/v2/repositories/archlinux/archlinux/ Authorization:"JWT ${TOKEN}" full_description="$(cat README.md)"
+
+      # Upload rootfs to the Generic Packages Repository
+      for group in base base-devel multilib-devel; do
+        rootfs_file="${group}-${BUILD_VERSION}.tar.zst"
+        mv "output/${group}.tar.zst" "output/${rootfs_file}"
+        mv "output/${group}.tar.zst.SHA256" "output/${rootfs_file}.SHA256"
+        sed -i "s|${group}.tar.zst|${rootfs_file}|" "output/${rootfs_file}.SHA256"
+        echo "Uploading ${rootfs_file}"
+        curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file "output/${rootfs_file}" "${PACKAGE_REGISTRY_URL}/"
+        echo "Uploading ${rootfs_file}.SHA256"
+        curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file "output/${rootfs_file}.SHA256" "${PACKAGE_REGISTRY_URL}/"
+      done
+
+      # Create the Dockerfiles, commit to the release branch
+      for group in base base-devel multilib-devel; do
+        rootfs_file="${group}-${BUILD_VERSION}.tar.zst"
+        ./scripts/make-dockerfile.sh "${rootfs_file}" "${group}" "output" "curl -sOJL \"${PACKAGE_REGISTRY_URL}/${rootfs_file}\"" "${group}"
+        sed -i "/^COPY ${rootfs_file} \/$/d" output/Dockerfile.${group}
+      done
+    - >
+      curl -sSf --request POST -o commit-response.json
+      --header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}"
+      --form "branch=releases"
+      --form "commit_message=Release ${BUILD_VERSION}"
+      --form "actions[][action]=update"
+      --form "actions[][file_path]=Dockerfile.base"
+      --form "actions[][content]=<output/Dockerfile.base"
+      --form "actions[][action]=update"
+      --form "actions[][file_path]=Dockerfile.base-devel"
+      --form "actions[][content]=<output/Dockerfile.base-devel"
+      --form "actions[][action]=update"
+      --form "actions[][file_path]=Dockerfile.multilib-devel"
+      --form "actions[][content]=<output/Dockerfile.multilib-devel"
+      --form "actions[][action]=update"
+      --form "actions[][file_path]=.gitlab-ci.yml"
+      --form "actions[][content]=<.gitlab-ci.yml"
+      --form "actions[][action]=update"
+      --form "actions[][file_path]=sigstore-param-file.yaml"
+      --form "actions[][content]=<sigstore-param-file.yaml"
+      "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/repository/commits"
+    - echo "BUILD_COMMIT=$(jq -r '.id' commit-response.json)" >> build.env
+  artifacts:
+    reports:
+      dotenv: build.env
+
+release:
+  stage: release
+  dependencies:
+    - get_version
+  image: registry.gitlab.com/gitlab-org/release-cli:latest
+  tags:
+    - secure
+    - docker
+  only:
+    refs:
+      - schedules@archlinux/archlinux-docker
+    variables:
+      - $PUBLISH_ARCHLINUX_REPOSITORY == "TRUE"
+      - $PUBLISH_OFFICIAL_LIBRARY == "TRUE"
+  script:
+    - echo 'Creating release'
+  release:
+    name: 'Release ${BUILD_VERSION}'
+    description: 'Release ${BUILD_VERSION}'
+    tag_name: 'v${BUILD_VERSION}'
+    ref: 'releases'
+    assets:
+      links:
+        - name: 'base-${BUILD_VERSION}.tar.zst'
+          url: '${PACKAGE_REGISTRY_URL}/base-${BUILD_VERSION}.tar.zst'
+        - name: 'base-${BUILD_VERSION}.tar.zst.SHA256'
+          url: '${PACKAGE_REGISTRY_URL}/base-${BUILD_VERSION}.tar.zst.SHA256'
+        - name: 'base-devel-${BUILD_VERSION}.tar.zst'
+          url: '${PACKAGE_REGISTRY_URL}/base-devel-${BUILD_VERSION}.tar.zst'
+        - name: 'base-devel-${BUILD_VERSION}.tar.zst.SHA256'
+          url: '${PACKAGE_REGISTRY_URL}/base-devel-${BUILD_VERSION}.tar.zst.SHA256'
+        - name: 'multilib-devel-${BUILD_VERSION}.tar.zst'
+          url: '${PACKAGE_REGISTRY_URL}/multilib-devel-${BUILD_VERSION}.tar.zst'
+        - name: 'multilib-devel-${BUILD_VERSION}.tar.zst.SHA256'
+          url: '${PACKAGE_REGISTRY_URL}/multilib-devel-${BUILD_VERSION}.tar.zst.SHA256'
+
+# Publish to the official Docker namespace: https://hub.docker.com/_/archlinux
+# Note: The description is maintained here: https://github.com/docker-library/docs/tree/master/archlinux
+publish-dockerhub:
+  stage: publish
+  dependencies:
+    - get_version
+    - pre-release
+  only:
+    refs:
+      - schedules
+    variables:
+      - $PUBLISH_OFFICIAL_LIBRARY == "TRUE"
+  before_script:
+    - export | grep -q BUILD_VERSION=
+    - export | grep -q BUILD_COMMIT=
+    - test -n "$BUILD_VERSION"
+    - test -n "$BUILD_COMMIT"
+    - test -n "$GITHUB_TOKEN"
+    - pacman -Syu --noconfirm github-cli git gettext
+    - git config --global user.email "github@archlinux.org"
+    - git config --global user.name "Arch Linux Technical User"
+  script:
+    - echo "Update the Docker library Github repo"
+    - mkdir official-images
+    - cd official-images
+    - git init
+    - 'git remote add origin "https://x-access-token:${GITHUB_TOKEN}@github.com/archlinux/official-images.git"'
+    - git fetch https://github.com/docker-library/official-images.git
+    - git reset --hard FETCH_HEAD
+    - head="release/${BUILD_VERSION}"
+    - git checkout -b "$head"
+    - cp ../docker-library.template library/archlinux
+    - |
+      for group in base base-devel multilib-devel; do
+        test "${group}" = "base" && extra="latest, " || extra=""
+        echo "Tags: ${extra}${group}, ${group}-${BUILD_VERSION}" >> library/archlinux
+        echo "GitCommit: ${BUILD_COMMIT}" >> library/archlinux
+        echo "GitFetch: refs/tags/v${BUILD_VERSION}" >> library/archlinux
+        echo "File: Dockerfile.${group}" >> library/archlinux
+        echo >> library/archlinux
+      done
+    - git diff
+    - git add library/archlinux
+    - maintainers="$(grep \(@ ../docker-library.template | cut -d\( -f2 | cut -d\) -f1 | xargs)"
+    - test -n "$maintainers"
+    - 'git commit
+        -m "archlinux: Release ${BUILD_VERSION}"
+        -m "This is an automated release [1]."
+        -m "[1] ${CI_PROJECT_URL}/-/blob/master/.gitlab-ci.yml"'
+    - git push -u origin "$head"
+    - 'gh pr create
+        --repo docker-library/official-images
+        --title "$(git show --no-patch --format="%s")"
+        --body "$(printf "%s\n\n---\n\nMaintainers: ${maintainers}\n" "$(git show --no-patch --format="%b")")"
+        --base master
+        --head archlinux:"$head"'

Dockerfile.template

@@ -0,0 +1,43 @@
+# Docker image when built on the official Docker infrastructure.
+# They require us to verify the source integrity in some way while making sure that this is a
+# reproducible build.
+# See https://github.com/docker-library/official-images#image-build
+# In order to achieve this, we externally host the rootfs archives and their checksums and then
+# just download and verify it in the first stage of this Dockerfile.
+# The second stage is for actually configuring the system a little bit.
+# Some templating is done in order to allow us to easily build different configurations and to
+# allow us to automate the release process.
+
+# Note: Only official DockerHub images are allowed, see https://gitlab.archlinux.org/archlinux/archlinux-docker/-/commit/daa67d18579024947d69a45e6d028c5adb1c8c23
+# While we could use archlinux:base it could also break our build process, so we avoid dog fooding here
+FROM alpine:3.19 AS verify
+COPY TEMPLATE_ROOTFS_FILE /
+
+RUN apk add --no-cache curl tar zstd
+
+RUN TEMPLATE_ROOTFS_DOWNLOAD && \
+    echo "TEMPLATE_ROOTFS_HASH" > /tmp/sha256sums.txt && \
+    sha256sum -c /tmp/sha256sums.txt && \
+    mkdir /rootfs && \
+    tar -C /rootfs --extract --file TEMPLATE_ROOTFS_FILE
+
+FROM scratch AS root
+
+LABEL org.opencontainers.image.title="TEMPLATE_TITLE"
+LABEL org.opencontainers.image.description="Official containerd image of Arch Linux, a simple, lightweight Linux distribution aimed for flexibility."
+LABEL org.opencontainers.image.authors="Santiago Torres-Arias <santiago@archlinux.org> (@SantiagoTorres), Christian Rebischke <Chris.Rebischke@archlinux.org> (@shibumi), Justin Kromlinger <hashworks@archlinux.org> (@hashworks)"
+LABEL org.opencontainers.image.url="https://gitlab.archlinux.org/archlinux/archlinux-docker/-/blob/master/README.md"
+LABEL org.opencontainers.image.documentation="https://wiki.archlinux.org/title/Docker#Arch_Linux"
+LABEL org.opencontainers.image.source="https://gitlab.archlinux.org/archlinux/archlinux-docker"
+LABEL org.opencontainers.image.licenses="GPL-3.0-or-later"
+LABEL org.opencontainers.image.version="TEMPLATE_VERSION_ID"
+LABEL org.opencontainers.image.revision="TEMPLATE_REVISION"
+LABEL org.opencontainers.image.created="TEMPLATE_CREATED"
+
+COPY --from=verify /rootfs/ /
+
+RUN ldconfig && \
+    sed -i '/BUILD_ID/a VERSION_ID=TEMPLATE_VERSION_ID' /etc/os-release
+
+ENV LANG=C.UTF-8
+CMD ["/usr/bin/bash"]

Makefile

@@ -0,0 +1,21 @@
+OCITOOL=podman # or docker
+BUILDDIR=$(shell pwd)/build
+OUTPUTDIR=$(shell pwd)/output
+
+.PHONY: clean
+clean:
+	rm -rf $(BUILDDIR) $(OUTPUTDIR)
+
+.PRECIOUS: $(OUTPUTDIR)/%.tar.zst
+$(OUTPUTDIR)/%.tar.zst:
+	scripts/make-rootfs.sh $(*) $(BUILDDIR) $(OUTPUTDIR)
+
+.PRECIOUS: $(OUTPUTDIR)/Dockerfile.%
+$(OUTPUTDIR)/Dockerfile.%: $(OUTPUTDIR)/%.tar.zst
+	scripts/make-dockerfile.sh "$(*).tar.zst" $(*) $(OUTPUTDIR) "true" "Dev"
+
+# The following is for local builds only, it is not used by the CI/CD pipeline
+
+all: image-base image-base-devel image-multilib-devel
+image-%: $(OUTPUTDIR)/Dockerfile.%
+	${OCITOOL} build -f $(OUTPUTDIR)/Dockerfile.$(*) -t archlinux/archlinux:$(*) $(OUTPUTDIR)

docker-library.template

@@ -0,0 +1,7 @@
+# https://gitlab.archlinux.org/archlinux/archlinux-docker
+
+Maintainers: Santiago Torres-Arias <santiago@archlinux.org> (@SantiagoTorres),
+             Christian Rebischke <Chris.Rebischke@archlinux.org> (@shibumi),
+             Justin Kromlinger <hashworks@archlinux.org> (@hashworks)
+GitRepo: https://gitlab.archlinux.org/archlinux/archlinux-docker.git
+

exclude

@@ -0,0 +1,18 @@
+./.dockerenv
+./.dockerinit
+./sys
+./proc
+./dev
+./etc/hostname
+./etc/machine-id
+./etc/resolv.conf
+./etc/pacman.d/gnupg/openpgp-revocs.d/*
+./etc/pacman.d/gnupg/private-keys-v1.d/*
+./etc/pacman.d/gnupg/pubring.gpg~
+./etc/pacman.d/gnupg/S.*
+./root/*
+./tmp/*
+./var/cache/pacman/pkg/*
+./var/lib/pacman/sync/*
+./var/tmp/*
+./alpm-hooks

pacman-conf.d-noextract.conf

@@ -0,0 +1,13 @@
+[options]
+NoExtract  = usr/share/help/* !usr/share/help/en* !usr/share/help/C/*
+NoExtract  = usr/share/gtk-doc/html/* usr/share/doc/*
+NoExtract  = usr/share/locale/* usr/share/X11/locale/* usr/share/i18n/*
+NoExtract   = !*locale*/en*/* !usr/share/i18n/charmaps/UTF-8.gz !usr/share/*locale*/locale.*
+NoExtract   = !usr/share/*locales/en_?? !usr/share/*locales/i18n* !usr/share/*locales/iso*
+NoExtract   = !usr/share/*locales/trans*
+NoExtract   = !usr/share/X11/locale/C/*
+NoExtract   = !usr/share/X11/locale/compose.dir !usr/share/X11/locale/iso8859-1/*
+NoExtract  = !usr/share/*locales/C !usr/share/*locales/POSIX !usr/share/i18n/charmaps/ANSI_X3.4-1968.gz
+NoExtract  = usr/share/man/* usr/share/info/*
+NoExtract  = usr/share/vim/vim*/lang/*
+NoExtract  = etc/pacman.conf etc/pacman.d/mirrorlist

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ]
+}

rootfs/etc/locale.conf

@@ -0,0 +1 @@
+LANG=C.UTF-8

rootfs/etc/pacman.d/mirrorlist

@@ -0,0 +1,3 @@
+Server = https://geo.mirror.pkgbuild.com/$repo/os/$arch
+Server = https://mirror.rackspace.com/archlinux/$repo/os/$arch
+Server = https://mirror.leaseweb.net/archlinux/$repo/os/$arch

scripts/make-dockerfile.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -euo pipefail
+
+declare -r ROOTFS_FILE="$1"
+declare -r GROUP="$2"
+declare -r OUTPUTDIR="$3"
+declare -r DOWNLOAD="$4"
+declare -r TITLE="$5"
+
+# Do not use these directly in the sed below - it will mask git failures
+BUILD_VERSION="${BUILD_VERSION:-dev}"
+CI_COMMIT_SHA="${CI_COMMIT_SHA:-$(git rev-parse HEAD)}"
+
+sed -e "s|TEMPLATE_ROOTFS_FILE|$ROOTFS_FILE|" \
+    -e "s|TEMPLATE_ROOTFS_DOWNLOAD|$DOWNLOAD|" \
+    -e "s|TEMPLATE_ROOTFS_HASH|$(cat $OUTPUTDIR/$ROOTFS_FILE.SHA256)|" \
+    -e "s|TEMPLATE_TITLE|Arch Linux $TITLE Image|" \
+    -e "s|TEMPLATE_VERSION_ID|$BUILD_VERSION|" \
+    -e "s|TEMPLATE_REVISION|$CI_COMMIT_SHA|" \
+    -e "s|TEMPLATE_CREATED|$(date -Is)|" \
+    Dockerfile.template > "$OUTPUTDIR/Dockerfile.$GROUP"

scripts/make-rootfs.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+
+set -euo pipefail
+
+declare -r WRAPPER="fakechroot -- fakeroot"
+
+declare -r GROUP="$1"
+declare -r BUILDDIR="$2"
+declare -r OUTPUTDIR="$3"
+
+mkdir -vp "$BUILDDIR/alpm-hooks/usr/share/libalpm/hooks"
+find /usr/share/libalpm/hooks -exec ln -sf /dev/null "$BUILDDIR/alpm-hooks"{} \;
+
+mkdir -vp "$BUILDDIR/var/lib/pacman/" "$OUTPUTDIR"
+[[ "$GROUP" == "multilib-devel" ]] && pacman_conf=multilib.conf || pacman_conf=extra.conf
+install -Dm644 "/usr/share/devtools/pacman.conf.d/$pacman_conf" "$BUILDDIR/etc/pacman.conf"
+cat pacman-conf.d-noextract.conf >> "$BUILDDIR/etc/pacman.conf"
+
+sed 's/Include = /&rootfs/g' < "$BUILDDIR/etc/pacman.conf" > pacman.conf
+
+cp --recursive --preserve=timestamps rootfs/* "$BUILDDIR/"
+ln -fs /usr/lib/os-release "$BUILDDIR/etc/os-release"
+
+$WRAPPER -- \
+    pacman -Sy -r "$BUILDDIR" \
+        --noconfirm --dbpath "$BUILDDIR/var/lib/pacman" \
+        --config pacman.conf \
+        --noscriptlet \
+        --hookdir "$BUILDDIR/alpm-hooks/usr/share/libalpm/hooks/" base "$GROUP"
+
+$WRAPPER -- chroot "$BUILDDIR" update-ca-trust
+$WRAPPER -- chroot "$BUILDDIR" pacman-key --init
+$WRAPPER -- chroot "$BUILDDIR" pacman-key --populate
+
+# add system users
+$WRAPPER -- chroot "$BUILDDIR" /usr/bin/systemd-sysusers --root "/"
+
+# remove passwordless login for root (see CVE-2019-5021 for reference)
+sed -i -e 's/^root::/root:!:/' "$BUILDDIR/etc/shadow"
+
+# fakeroot to map the gid/uid of the builder process to root
+# fixes #22
+fakeroot -- \
+    tar \
+        --numeric-owner \
+        --xattrs \
+        --acls \
+        --exclude-from=exclude \
+        -C "$BUILDDIR" \
+        -c . \
+        -f "$OUTPUTDIR/$GROUP.tar"
+
+cd "$OUTPUTDIR"
+zstd --long -T0 -8 "$GROUP.tar"
+sha256sum "$GROUP.tar.zst" > "$GROUP.tar.zst.SHA256"

sigstore-param-file.yaml

@@ -0,0 +1,6 @@
+fulcio:
+  fulcioURL: "https://fulcio.sigstore.dev"
+  oidcMode: "staticToken"
+  oidcIssuerURL: "https://gitlab.archlinux.org"
+  oidcIDToken: "TEMPLATE_OIDC_ID_TOKEN"
+rekorURL: "https://rekor.sigstore.dev"