https://github.com/juburr/melange-orb

A simple CircleCI orb to install Chainguard's melange tool and use it to build packages for distroless container images.
https://github.com/juburr/melange-orb

apk chainguard circleci circleci-orbs container-builder containers melange package-builder

Last synced: 5 months ago
JSON representation

A simple CircleCI orb to install Chainguard's melange tool and use it to build packages for distroless container images.

• Host: GitHub
• URL: https://github.com/juburr/melange-orb
• Owner: juburr
• License: mit
• Created: 2024-08-14T16:20:40.000Z (almost 2 years ago)
• Default Branch: master
• Last Pushed: 2025-08-24T13:33:00.000Z (9 months ago)
• Last Synced: 2025-08-24T18:26:32.609Z (9 months ago)
• Topics: apk, chainguard, circleci, circleci-orbs, container-builder, containers, melange, package-builder
• Language: Shell
• Homepage:
• Size: 359 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          


  

  
CircleCI Melange Orb

  An orb for simplifying Melange installation and use within CircleCI.





[![CircleCI Build Status](https://circleci.com/gh/juburr/melange-orb.svg?style=shield "CircleCI Build Status")](https://circleci.com/gh/juburr/melange-orb) [![CircleCI Orb Version](https://badges.circleci.com/orbs/juburr/melange-orb.svg)](https://circleci.com/developer/orbs/orb/juburr/melange-orb) [![GitHub License](https://img.shields.io/badge/license-MIT-lightgrey.svg)](https://raw.githubusercontent.com/juburr/melange-orb/master/LICENSE) [![CircleCI Community](https://img.shields.io/badge/community-CircleCI%20Discuss-343434.svg)](https://discuss.circleci.com/c/ecosystem/orbs)

This is an unofficial Melange orb used for installing Melange in your CircleCI pipeline to build packages for distroless container images. Contributions are welcome!

## Features

### **Secure By Design**

- **Least Privilege**: Installs to a user-owned directory by default, with no `sudo` usage anywhere in this orb.

- **Integrity**: Checksum validation of all downloaded binaries using SHA-512.

- **Provenance**: Installs directly from Melange's official [releases page](https://github.com/chainguard-dev/melange/releases/) on GitHub. No third-party websites, domains, or proxies are used.

- **Confidentiality**: All secrets and environment variables are handled in accordance with CircleCI's [security recommendations](https://circleci.com/docs/security-recommendations/) and [best practices](https://circleci.com/docs/orbs-best-practices/).

- **Privacy**: No usage data of any kind is collected or shipped back to the orb developer.

Info for security teams:

- Required external access to allow, if running a locked down, self-hosted CircleCI pipeline on-prem:

  - `github.com`: For download and installation of the Melange tool.