Skip to content

Giskard-AI/docker-images

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

157 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

docker-images

This repository builds and publishes Giskard-maintained Python Docker images.

Python Images

Images are published to quay.io/giskard/python.

Supported Python versions are 3.12, 3.13, and 3.14. For each version, the publish workflow creates dev and runtime variants:

  • default minor variant tags, for example 3.13-dev and 3.13-runtime, based on Ubuntu 24.04
  • default patch variant tags, for example 3.13.13-dev and 3.13.13-runtime, based on Ubuntu 24.04
  • default platform variant tags, for example 3.13-dev-ubuntu-latest and 3.13-runtime-runner-ubuntu24-arm64
  • Ubuntu-specific minor variant tags, for example 3.13-dev-ubuntu24.04 and 3.13-runtime-ubuntu26.04
  • Ubuntu-specific patch variant tags, for example 3.13.13-dev-ubuntu24.04 and 3.13.13-runtime-ubuntu26.04
  • Ubuntu-specific platform variant tags, for example 3.13-dev-ubuntu26.04-ubuntu-latest and 3.13-runtime-ubuntu26.04-runner-ubuntu24-arm64

Dockerfiles are generated by python/generate_dockerfile.sh into Ubuntu-specific folders. Ubuntu 24.04 uses the docker-library/python slim-bookworm fragment, and Ubuntu 26.04 uses the slim-trixie fragment. Ubuntu base image digests and fragment choices are tracked in python/base-images.json.

Update Flow

The scheduled Update python dockerfile workflow refreshes the pinned ubuntu:24.04 and ubuntu:26.04 digests in python/base-images.json, regenerates Ubuntu-specific Python Dockerfiles, then opens or updates the cron-python-update pull request.

After generated Dockerfile changes land on main, the Publish the images workflow builds the 3.12, 3.13, and 3.14 dev and runtime images for both configured Ubuntu bases and both configured platform runners, then publishes multi-platform manifests to Quay. Existing non-Ubuntu-specific variant tags continue to point at the Ubuntu 24.04 images for compatibility.

Published Image Metadata

Final Quay images are published with Sigstore/cosign keyless signatures, SPDX JSON SBOM attestations, and GitHub build provenance. The publish workflow resolves each final multi-platform manifest digest, signs that immutable digest, attaches one SBOM attestation for each platform child manifest, and publishes GitHub provenance for the same final digest.

SBOMs are generated from the pushed image digests. This includes runtime images, even though they are built FROM scratch: Syft scans the final runtime filesystem by digest, so the SBOM describes only files copied into the runtime image and does not reuse the dev image SBOM.

Quay can show attached cosign and provenance metadata as sha256-... entries in the tag list. Those entries are OCI signature or attestation artifacts attached to the image digest, not additional runnable Python image tags. To limit Quay metadata noise, the workflow signs and attests the resolved digest once for each final manifest rather than signing every alias tag that points at that digest.

Verify a published image with:

cosign verify \
  --certificate-identity-regexp '^https://github\.com/Giskard-AI/docker-images/\.github/workflows/python\.yml@refs/heads/main$' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  quay.io/giskard/python:3.13-dev

Verify attached SPDX SBOM attestations with:

cosign verify-attestation \
  --type spdxjson \
  --certificate-identity-regexp '^https://github\.com/Giskard-AI/docker-images/\.github/workflows/python\.yml@refs/heads/main$' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  quay.io/giskard/python:3.13-dev

About

No description, website, or topics provided.

Resources

License

Stars

0 stars

Watchers

2 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages