From a39b742c34dd7fa724933bf69abf625587a12a6e Mon Sep 17 00:00:00 2001
From: Vibhav Bobade <vibhav.bobde@gmail.com>
Date: Mon, 16 Mar 2026 02:49:57 +0530
Subject: [PATCH] feat: add static base image build for Tekton Go binaries

Add apko-based build for a multi-arch static base image supporting
amd64, arm64, s390x, and ppc64le. This replaces the dependency on
cgr.dev/chainguard/static which is pinned to an EOL Alpine 3.18
digest and whose free tier dropped s390x/ppc64le support.

The image contains CA certificates, timezone data, nsswitch.conf,
and a nonroot user (UID 65532). A weekly GitHub Actions workflow
rebuilds and publishes to ghcr.io/tektoncd/plumbing/static-base.

All Tekton repos (pipeline, triggers, chains, results) can reference
this as their defaultBaseImage in .ko.yaml.

Related: tektoncd/pipeline#9557
---
 .../workflows/build-static-base-image.yaml    | 46 +++++++++++++++++++
 images/static-base/README.md                  | 44 ++++++++++++++++++
 images/static-base/apko.yaml                  | 27 +++++++++++
 3 files changed, 117 insertions(+)
 create mode 100644 .github/workflows/build-static-base-image.yaml
 create mode 100644 images/static-base/README.md
 create mode 100644 images/static-base/apko.yaml

diff --git a/.github/workflows/build-static-base-image.yaml b/.github/workflows/build-static-base-image.yaml
new file mode 100644
index 000000000..b69d62b40
--- /dev/null
+++ b/.github/workflows/build-static-base-image.yaml
@@ -0,0 +1,46 @@
+name: Build static base image
+
+on:
+  schedule:
+    # Weekly on Monday at 06:00 UTC
+    - cron: '0 6 * * 1'
+  workflow_dispatch: {}
+  push:
+    branches: [main]
+    paths:
+      - 'images/static-base/**'
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install apko
+        uses: chainguard-dev/actions/setup-apko@main
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and publish
+        run: |
+          apko publish images/static-base/apko.yaml \
+            ghcr.io/tektoncd/plumbing/static-base:latest
+
+      - name: Verify multi-arch
+        run: |
+          for arch in amd64 arm64 s390x ppc64le; do
+            echo "Checking ${arch}..."
+            docker manifest inspect ghcr.io/tektoncd/plumbing/static-base:latest \
+              | jq -e ".manifests[] | select(.platform.architecture == \"${arch}\")" \
+              || { echo "Missing architecture: ${arch}"; exit 1; }
+          done
+          echo "All 4 architectures present."
diff --git a/images/static-base/README.md b/images/static-base/README.md
new file mode 100644
index 000000000..6e167cad7
--- /dev/null
+++ b/images/static-base/README.md
@@ -0,0 +1,44 @@
+# Tekton Static Base Image
+
+Multi-arch static base image for all Tekton Go binaries. Built with
+[apko](https://github.com/chainguard-dev/apko) from Alpine packages.
+
+## Architectures
+
+amd64, arm64, s390x, ppc64le
+
+## Contents (~300KB per arch)
+
+| Content | Why |
+|---------|-----|
+| CA certificates | TLS connections |
+| Timezone data | `time.LoadLocation()` |
+| `/etc/passwd`, `/etc/group` | nonroot user (UID 65532) |
+| `/etc/nsswitch.conf` | DNS resolution |
+
+## Build locally
+
+```bash
+# Install apko: go install chainguard.dev/apko@latest
+apko build apko.yaml tekton-static-base:latest output.tar
+```
+
+## Publish
+
+```bash
+apko publish apko.yaml ghcr.io/tektoncd/plumbing/static-base:latest
+```
+
+## Consumers
+
+- `tektoncd/pipeline` (.ko.yaml defaultBaseImage)
+- `tektoncd/triggers` (.ko.yaml defaultBaseImage)
+- `tektoncd/chains` (.ko.yaml defaultBaseImage)
+- `tektoncd/results` (.ko.yaml defaultBaseImage)
+
+## Background
+
+See [tektoncd/pipeline#9557](https://github.com/tektoncd/pipeline/issues/9557)
+for the full proposal. The previous base image (`cgr.dev/chainguard/static`)
+was pinned to an EOL Alpine 3.18 digest since November 2023, and newer
+Chainguard free-tier images dropped s390x and ppc64le support.
diff --git a/images/static-base/apko.yaml b/images/static-base/apko.yaml
new file mode 100644
index 000000000..4516fed40
--- /dev/null
+++ b/images/static-base/apko.yaml
@@ -0,0 +1,27 @@
+contents:
+  repositories:
+    - https://dl-cdn.alpinelinux.org/alpine/v3.21/main
+  packages:
+    - ca-certificates-bundle
+    - tzdata
+    - alpine-baselayout-data
+
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 65532
+  run-as: 65532
+
+archs:
+  - amd64
+  - arm64
+  - s390x
+  - ppc64le
+
+environment:
+  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+  SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt