{"id":35206269,"url":"https://github.com/lorenzobiosa/container-toolchain","last_synced_at":"2026-01-13T21:41:09.866Z","repository":{"id":331035793,"uuid":"1124628174","full_name":"lorenzobiosa/container-toolchain","owner":"lorenzobiosa","description":"Container Toolchain è un builder basato su UBI per compilare strumenti CLI multi-arch (amd64/arm64) in container. Include sysroot ARM64, cross-compile con Clang/LLD, ccache, CI riproducibile, release firmate (Cosign/GPG), SBOM, provenienza SLSA. Compatibile con Podman/Docker.","archived":false,"fork":false,"pushed_at":"2026-01-12T18:36:25.000Z","size":234,"stargazers_count":2,"open_issues_count":4,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-01-12T19:27:50.197Z","etag":null,"topics":["amd64","arm64","builder","ccache","container","cosign","cross-compile","cross-platform","docker","gpg-signature","kubernetes","multi-arch","openshift","podman","provenance","sbom","supply-chain-security","toolchain","ubi"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lorenzobiosa.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["lorenzobiosa"],"patreon":"lorenzobiosa"}},"created_at":"2025-12-29T10:40:12.000Z","updated_at":"2026-01-12T18:36:28.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/lorenzobiosa/container-toolchain","commit_stats":null,"previous_names":["lorenzobiosa/container-toolchain"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/lorenzobiosa/container-toolchain","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lorenzobiosa%2Fcontainer-toolchain","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lorenzobiosa%2Fcontainer-toolchain/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lorenzobiosa%2Fcontainer-toolchain/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lorenzobiosa%2Fcontainer-toolchain/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lorenzobiosa","download_url":"https://codeload.github.com/lorenzobiosa/container-toolchain/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lorenzobiosa%2Fcontainer-toolchain/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28401048,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-13T14:36:09.778Z","status":"ssl_error","status_checked_at":"2026-01-13T14:35:19.697Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["amd64","arm64","builder","ccache","container","cosign","cross-compile","cross-platform","docker","gpg-signature","kubernetes","multi-arch","openshift","podman","provenance","sbom","supply-chain-security","toolchain","ubi"],"created_at":"2025-12-29T14:25:01.067Z","updated_at":"2026-01-13T21:41:09.857Z","avatar_url":"https://github.com/lorenzobiosa.png","language":"Shell","funding_links":["https://github.com/sponsors/lorenzobiosa","https://patreon.com/lorenzobiosa"],"categories":[],"sub_categories":[],"readme":"# UBI-9 Multi-Architecture Builder Toolchain\n\n[![CI – Build \u0026 Release](https://github.com/lorenzobiosa/container-toolchain/actions/workflows/build-toolchain.yml/badge.svg)](https://github.com/lorenzobiosa/container-toolchain/actions/workflows/build-toolchain.yml)\n[![Auto-Update Bot](https://github.com/lorenzobiosa/container-toolchain/actions/workflows/auto-update.yml/badge.svg)](https://github.com/lorenzobiosa/container-toolchain/actions/workflows/auto-update.yml)\n[![Latest Release](https://img.shields.io/github/v/release/lorenzobiosa/container-toolchain?sort=semver)](https://github.com/lorenzobiosa/container-toolchain/releases)\n[![Architectures](https://img.shields.io/badge/arch-amd64%20%7C%20arm64-blue)](#)\n[![SBOM](https://img.shields.io/badge/SBOM-SPDX-green)](#)\n[![Signatures](https://img.shields.io/badge/signatures-Cosign%20%2B%20GPG-success)](#)\n[![License](https://img.shields.io/github/license/lorenzobiosa/container-toolchain)](LICENSE)\n\n## Executive Summary\n\nThis project provides a **high-performance, enterprise-grade build system** based on **Red Hat UBI 9** for producing **deterministic, reproducible, cross-architecture packages and container images** for **amd64** and **arm64**.\n\nA core design principle is that **all packages are built from source**, allowing the resulting **Docker/Podman images** to be constructed with **fully controlled, minimal, and auditable software components**, resulting in a supply chain that **drastically reduces vulnerability exposure** and, in practice, approaches **zero known vulnerabilities** at image creation time.\n\nIt delivers:\n\n*   **\\~10 minutes** to build the complete builder toolchain image\n*   **\\~5 minutes** to produce multi-architecture packages\n*   Source-based package compilation for **clean, minimal, low-vulnerability images**\n*   Fully automated **CI/CD**, **artifact signing**, and **verification**\n*   Strong security and governance controls\n*   Production-ready workflows suitable for regulated and enterprise environments\n\nThe system is optimized for **speed, correctness, reproducibility, and security**.\n---\n\n## Key Capabilities\n\n| Capability                | Description                                                                      |\n| ------------------------- | -------------------------------------------------------------------------------- |\n| Cross-Architecture Builds | Native support for **amd64** and **arm64** from the same toolchain               |\n| High Performance          | **Builder image \\~10 min**, **multi-arch packages \\~5 min**                      |\n| Source-Based Packages     | All packages compiled from source for maximal control and minimal attack surface |\n| Low-Vulnerability Images  | Resulting container images typically approach **zero known vulnerabilities**     |\n| Enterprise Base           | Built on **Red Hat UBI 9**                                                       |\n| Reproducible Toolchain    | Deterministic tool versions and build layers                                     |\n| Security First            | Signed artifacts, verification pipeline, security scanning                       |\n| Fully Automated           | CI/CD from source → release without manual steps                                 |\n| Production Governance     | Policy enforcement, dependency automation, compliance ready                      |\n\n---\n\n## System Architecture (High Level)\n\n```mermaid\n---\nconfig:\n  layout: elk\n---\nflowchart LR\n    A[\"Source Code \u0026 Package Sources\"] --\u003e B[\"GitHub Actions CI\"]\n    B --\u003e C[\"UBI-9 Builder Toolchain Image (~10 min)\"]\n    C --\u003e D[\"Source-Based Package Compilation\"]\n    D --\u003e E[\"Multi-Architecture Packages (~5 min)\"]\n    E --\u003e F[\"Docker / Podman Image Assembly\"]\n    F --\u003e G[\"Artifact Signing \u0026 Verification\"]\n    G --\u003e H[\"Release Publication\"]\n```\n\nAll runtime images are assembled exclusively from packages produced by this pipeline, enabling strict control over every component that enters production.\n\n---\n\n## Why This Project Exists\n\nTraditional build systems struggle with:\n\n*   Long build times for multi-architecture artifacts\n*   Reliance on prebuilt binaries with opaque provenance\n*   Non-reproducible results across environments\n*   Weak supply-chain security and large vulnerability surfaces\n\nThis project solves those problems by combining:\n\n*   **UBI-9 enterprise base image**\n*   Highly optimized build layers\n*   Deterministic, pinned toolchain configuration\n*   Full source-based package compilation\n*   End-to-end automation of the build → image → release lifecycle\n\nThe result is a system capable of producing **fast, reproducible, auditable, and extremely low-vulnerability container images**.\n\n---\n\n## Repository Structure (Key Areas)\n\n| Path                | Responsibility                                   |\n| ------------------- | ------------------------------------------------ |\n| `/build`            | Builder image definitions and toolchain assembly |\n| `/scripts/dev`      | Local developer build workflows                  |\n| `/scripts/release`  | Artifact signing and verification                |\n| `.github/workflows` | CI/CD pipelines and governance                   |\n| `/docs`             | Complete system documentation                    |\n\n---\n\n## Quick Start\n\n### Prerequisites\n\n*   Linux host with: `git`, `jq`, `make`, `gcc`, `g++`, `tar`, `xz`, `gzip`\n*   For **arm64** builds: `clang`, `ld.lld`\n*   `go` preinstalled (or provided by builder image)\n*   For signing/verifying: `cosign`, `syft`, `gpg`\n\n### Build Packages\n\n**Build for amd64:**\n\n```bash\n./build-tools.sh linux amd64\n# Output: /out/tools-linux-amd64.tar.gz\n```\n\n**Build for arm64 (cross-build):**\n\n```bash\n./build-tools.sh linux arm64\n# Output: /out/tools-linux-arm64.tar.gz\n```\n\nBoth builds run smoke tests and validate architecture and permissions.\n\n### Sign \u0026 Verify Artifacts\n\n**Keyful (BYOK) Example:**\n\n```bash\nexport OUT_DIR=out\nexport GPG_PRIVATE_KEY=\"$(cat ~/.gnupg/private.key)\"\nexport GPG_KEY_ID=\"YOUR-GPG-KEY-ID\"\nexport COSIGN_PRIVATE_KEY=\"$(cat cosign.key)\"\n./sign-and-verify.sh --out-dir \"$OUT_DIR\" --tag v1.0.0\n```\n\n**Keyless (Fulcio/OIDC) Example:**\n\n```bash\nexport OUT_DIR=out\nexport GPG_PRIVATE_KEY=\"$(cat ~/.gnupg/private.key)\"\nexport GPG_KEY_ID=\"YOUR-GPG-KEY-ID\"\nexport COSIGN_CERT_OIDC_ISSUER=\"https://token.actions.githubusercontent.com\"\nexport COSIGN_CERT_IDENTITY=\"your-identity-string-or-regex\"\n./sign-and-verify.sh --out-dir \"$OUT_DIR\" --tag v1.0.0\n```\n\nArtifacts produced:  \n`tools-linux-amd64.tar.gz`, `tools-linux-arm64.tar.gz`, `SHA256SUMS`, `sbom.spdx.json`, `*.cosign.bundle`, `*.tar.gz.asc`, `SHA256SUMS.asc`\n\n### Version Pinning\n\nEdit `/build/config/tool-versions.json` to pin versions for `kubectl`, `oc`, `rancher`, `go`, `fulcio`. Example:\n\n```json\n{\n  \"kubectl\": \"v1.35.0\",\n  \"oc\": \"release-4.23\",\n  \"rancher\": \"v2.13.1\",\n  \"go\": \"1.25.5\",\n  \"fulcio\": \"v1.8.4\"\n}\n```\n\nAll builds use these pins for reproducibility and security.\n\n---\n\n## Enterprise Guarantees\n\n*   **Reproducible builds**\n*   **Cryptographically verified artifacts**\n*   **Deterministic toolchain versions**\n*   **Source-based package provenance**\n*   **Cross-architecture parity**\n*   **Extremely low vulnerability container images**\n*   **Strong CI/CD governance**\n*   **Production auditability**\n\n---\n\n## Documentation\n\nComprehensive documentation is available in the `/docs` directory:\n\n*   Architecture\n*   Build system internals\n*   Toolchain design\n*   CI/CD lifecycle\n*   Security model\n*   Release engineering\n*   Performance guarantees\n*   Operational guidance\n*   Governance \u0026 compliance\n\n---\n\n## Target Users\n\n*   Platform \u0026 Infrastructure Teams\n*   DevOps \u0026 SRE organizations\n*   Enterprise Software Producers\n*   Security \u0026 Compliance Teams\n*   Organizations requiring fast, reproducible, multi-architecture builds with minimal vulnerability exposure\n\n---\n\n## License \u0026 Governance\n\nThis project follows strict governance, security, and contribution controls suitable for enterprise adoption.\n\n---\n\n**This project establishes a new baseline for secure, high-performance, enterprise-grade multi-architecture build pipelines and low-vulnerability container image production.**\n\n---\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Florenzobiosa%2Fcontainer-toolchain","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Florenzobiosa%2Fcontainer-toolchain","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Florenzobiosa%2Fcontainer-toolchain/lists"}