ci: build minimal and standard images

.github/workflows/bake.yaml

@@ -0,0 +1,146 @@
+name: Bake images
+
+on:
+  schedule:
+    - cron: 0 8 * * 1
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        options:
+          - testing
+          - production
+        default: testing
+        description: "Choose the environment to bake the images for"
+
+jobs:
+  # Start by building images for testing. We want to run security checks before pushing those to production.
+  testbuild:
+    name: Build for testing
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      security-events: write
+    outputs:
+      metadata: ${{ steps.build.outputs.metadata }}
+      images: ${{ steps.images.outputs.images }}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Log in to the GitHub Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # TODO: review this when GitHub has linux/arm64 runners available (Q1 2025?)
+      #   https://github.com/github/roadmap/issues/970
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: 'arm64'
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/bake-action@v6
+        id: build
+        env:
+          environment: testing
+          registry: ghcr.io/${{ github.repository_owner }}
+          revision: ${{ github.sha }}
+        with:
+          push: true
+
+      # Get a list of the images that were built and pushed. We only care about a single tag for each image.
+      - name: Generated images
+        id: images
+        run: |
+          echo "images=$(echo '${{ steps.build.outputs.metadata }}' | jq -c '[ .[]."image.name" | sub(",.*";"") ]')" >>  "$GITHUB_OUTPUT"
+
+  security:
+    name: Security checks
+    runs-on: ubuntu-latest
+    needs:
+      - testbuild
+    strategy:
+      matrix:
+        image: ${{fromJson(needs.testbuild.outputs.images)}}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Log in to the GitHub Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Dockle
+        uses: erzz/dockle-action@v1
+        with:
+          image: ${{ matrix.image }}
+          exit-code: '1'
+
+      - name: Snyk
+        uses: snyk/actions/docker@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: "${{ matrix.image }}"
+          args: --severity-threshold=high --file=Dockerfile
+
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        continue-on-error: true
+        with:
+          sarif_file: snyk.sarif
+
+  # Build the image for production.
+  #
+  # TODO: no need to rebuild everything, just copy the testing images we have generated to the production registry
+  #   if we get here and we are building for production.
+  prodbuild:
+    if: github.event.inputs.environment == 'production' || github.event_name == 'schedule'
+    name: Build for production
+    runs-on: ubuntu-latest
+    needs:
+      - security
+    permissions:
+      contents: read
+      packages: write
+      security-events: write
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Log in to the GitHub Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: 'arm64'
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/bake-action@v6
+        id: build
+        env:
+          environment: production
+          registry: ghcr.io/${{ github.repository_owner }}
+          revision: ${{ github.sha }}
+        with:
+          push: true

BUILD.md

@@ -0,0 +1,129 @@
+# Building PostgreSQL Container Images for CloudNativePG
+
+This guide outlines the process for building PostgreSQL operand images for
+CloudNativePG using [Docker Bake](https://docs.docker.com/build/bake/) and a
+[GitHub workflow](.github/workflows/bake.yaml).
+
+The central component of this framework is the
+[Bake file (`docker-bake.hcl`)](docker-bake.hcl).
+
+## Prerequisites
+
+Ensure the following tools and components are available before proceeding:
+
+1. [Docker Buildx](https://github.com/docker/buildx): A CLI plugin for advanced
+image building.
+2. Build Driver for Multi-Architecture Images: For example, `docker-container`
+(see [Build Drivers](https://docs.docker.com/build/builders/drivers/) and
+["Install QEMU Manually"](https://docs.docker.com/build/building/multi-platform/#install-qemu-manually)).
+3. [Distribution Registry](https://distribution.github.io/distribution/):
+Formerly known as Docker Registry, to host and manage the built images.
+
+### Verifying Requirements
+
+To confirm your environment is properly set up, run:
+
+```bash
+docker buildx bake --check
+```
+
+If errors appear, you may need to switch to a different build driver. For
+example, use the following commands to configure a `docker-container` build
+driver:
+
+```bash
+docker buildx create \
+  --name docker-container \
+  --driver docker-container \
+  --use \
+  --driver-opt network=host \
+  --bootstrap
+```
+
+> *Note:* The `--driver-opt network=host` setting is required only for testing
+> when you push to a distribution registry listening on `localhost`.
+
+> *Note:* This page is not intended to serve as a comprehensive guide for
+> building multi-architecture images with Docker and Bake. If you encounter any
+> issues, please refer to the resources listed above for detailed instructions
+> and troubleshooting.
+
+## Default Target
+
+The `default` target in Bake represents a Cartesian product of the following
+dimensions:
+
+- **Base Image**
+- **Type** (e.g. `minimal` or `standard`)
+- **Platforms**
+- **PostgreSQL Versions**
+
+## Building Images
+
+To build PostgreSQL images using the `default` target — that is, for all the
+combinations of base image, format, platforms, and PostgreSQL versions — run:
+
+```bash
+docker buildx bake --push
+```
+
+> *Note:* The `--push` flag is required to upload the images to the registry.
+> Without it, the images will remain cached within the builder container,
+> making testing impossible.
+
+If you want to limit the build to a specific combination, you can specify the
+target in the `VERSION-TYPE-BASE` format. For example, to build an image for
+PostgreSQL 17 with the `minimal` format on the `bookworm` base image:
+
+```bash
+docker buildx bake --push postgresql-17-minimal-bookworm
+```
+
+You can also limit the build to a single platform, for example AMD64, with:
+
+```bash
+docker buildx bake --push --set "*.platform=linux/amd64"
+```
+
+The two can be mixed as well:
+
+```bash
+docker buildx bake --push \
+  --set "*.platform=linux/amd64" \
+  postgresql-17-minimal-bookworm
+```
+
+## The Distribution Registry
+
+The images must be pushed to any registry server that complies with the **OCI
+Distribution Specification**.
+
+By default, the build process assumes a registry server running locally at
+`localhost:5000`. To use a different registry, set the `registry` environment
+variable when executing the `docker` command, as shown:
+
+```bash
+registry=<REGISTRY_URL> docker buildx ...
+```
+
+## Local Testing
+
+You can test the image-building process locally if you meet the necessary
+[prerequisites](prerequisites).
+
+To do this, you'll need a local registry server. If you don't already have one,
+you can deploy a temporary, disposable [distribution registry](https://distribution.github.io/distribution/about/deploying/)
+with the following command:
+
+```bash
+docker run -d --rm -p 5000:5000 --name registry registry:2
+```
+
+This command runs a lightweight, temporary instance of the `registry:2`
+container on port `5000`.
+
+## Trademarks
+
+*[Postgres, PostgreSQL and the Slonik Logo](https://www.postgresql.org/about/policies/trademarks/)
+are trademarks or registered trademarks of the PostgreSQL Community Association
+of Canada, and used with their permission.*

Dockerfile

@@ -0,0 +1,34 @@
+ARG BASE=debian:bookworm-slim
+FROM $BASE AS minimal
+
+ARG PG_VERSION
+ARG PG_MAJOR=${PG_VERSION%%.*}
+
+ENV PATH=$PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends postgresql-common ca-certificates gnupg && \
+    /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y && \
+    apt-get install -y --no-install-recommends -o Dpkg::::="--force-confdef" -o Dpkg::::="--force-confold" postgresql-common && \
+    sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf && \
+    apt-get install -y --no-install-recommends \
+      -o Dpkg::::="--force-confdef" -o Dpkg::::="--force-confold" "postgresql-${PG_MAJOR}=${PG_VERSION}*" && \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
+    rm -rf /var/lib/apt/lists/* /var/cache/* /var/log/*
+
+RUN usermod -u 26 postgres
+USER 26
+
+
+FROM minimal AS standard
+
+USER root
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends locales-all \
+      "postgresql-${PG_MAJOR}-pgaudit" \
+      "postgresql-${PG_MAJOR}-pgvector" \
+      "postgresql-${PG_MAJOR}-pg-failover-slots" && \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
+    rm -rf /var/lib/apt/lists/* /var/cache/* /var/log/*
+
+USER 26