ci: build and push Docker image based on Chainguard base image

[v1v]

What does this pull request do?

Release two flavours of Docker images:

• the one we always do
• the one based on Wolfi from Chainguard

Please note that we are going to preserve the current Dockerfile, so that users will still be able to build their own custom images based on Alpine: this is needed because docker.elastic.co/wolfi/chainguard-base is not a public base image, so docker build would fail for unauthenticated users.

Implementation details

I refactored the release workflow to have three different jobs that run sequentially:

• release job, as usual
• docker build - so it can use the matrix format for Dockerfile and Dockerfile.wolfi
• notification - so if any of the above jobs failed then a message will be sent.

Then, I created the Dockerfile.wolfi - the naming convention we agreed upon.

Tests

I created a feature branch test-wolfi:

• https://github.com/elastic/apm-agent-nodejs/tree/test-wolfi

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2bdb4ed1..7462b7b8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,7 +5,7 @@ on:
     tags:
       - v*.*.*
     branches:
-      - main
+      - test-wolfi
 
 permissions:
   contents: read
@@ -119,6 +119,8 @@ jobs:
             latest=auto
             suffix=${{ contains(matrix.dockerfile, 'wolfi') && '-wolfi' || '' }}
           tags: |
+            # test
+            type=raw,value=latest,prefix=test-,enable=${{ github.ref == format('refs/heads/{0}', 'test-wolfi') }}
             # "1.2.3" and "latest" Docker tags on push of git tag "v1.2.3"
             type=semver,pattern={{version}}
             # "edge" Docker tag on git push to default branch

Then I was able to test the release workflow without pushing any changes in production but generating docker images with the prefix test- and suffix if -wolfi.

See https://github.com/elastic/apm-agent-nodejs/actions/runs/9082550246

Docker images

The ones we usually release

See this line

Wolfi docker images

See this line

docker pull docker.elastic.co/observability/apm-agent-nodejs:test-latest-wolfi

Issues

Similar to elastic/apm-agent-python#2036
Requires #3998

Checklist

• Implement code
• Add tests
• Update TypeScript typings
• Update documentation
• Add CHANGELOG.asciidoc entry
• Commit message follows commit guidelines

[trentm]

Requires #3998

I'll wait until you've updated this PR after 3998 is merged before doing a final review.

[trentm]

I'm not sure of the value of using a matrix for the two Dockerfiles. I think it adds more complexity than it saves in a little duplication.

[trentm]

I'm not sure of the value of using a matrix for the two Dockerfiles. I think it adds more complexity than it saves in a little duplication.

Feel free to push back on that if you are using the same pattern in other repos.

[v1v]

Do you prefer something like this?

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 942b6e4e..76ddaa37 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -62,6 +62,7 @@ jobs:
         uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0  # v5.3.0
         with:
           context: .
+          file: 'Dockerfile'
           push: true
           tags: ${{ steps.docker-meta.outputs.tags }}
           labels: ${{ steps.docker-meta.outputs.labels }}
@@ -75,6 +76,39 @@ jobs:
           subject-digest: ${{ steps.docker-push.outputs.digest }}
           push-to-registry: true
 
+      - name: Extract metadata (tags, labels) (wolfi)
+        id: docker-meta-wolfi
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81  # v5.5.1
+        with:
+          images: ${{ env.DOCKER_IMAGE_NAME }}
+          flavor: |
+            latest=auto
+            suffix=-wolfi
+          tags: |
+            # "1.2.3" and "latest" Docker tags on push of git tag "v1.2.3"
+            type=semver,pattern={{version}}
+            # "edge" Docker tag on git push to default branch
+            type=edge
+
+      - name: Build and Push Docker Image (wolfi)
+        id: docker-push-wolfi
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0  # v5.3.0
+        with:
+          context: .
+          file: 'Dockerfile.wolfi'
+          push: true
+          tags: ${{ steps.docker-meta-wolfi.outputs.tags }}
+          labels: ${{ steps.docker-meta-wolfi.outputs.labels }}
+          build-args: |
+            AGENT_DIR=/build/dist/nodejs
+
+      - name: Attest Docker image (wolfi)
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-digest: ${{ steps.docker-push-wolfi.outputs.digest }}
+          push-to-registry: true
+
       - name: Read AWS vault secrets
         uses: hashicorp/vault-action@v3.0.0
         with:
diff --git a/Dockerfile.wolfi b/Dockerfile.wolfi
new file mode 100644
index 00000000..f0361904
--- /dev/null
+++ b/Dockerfile.wolfi
@@ -0,0 +1,3 @@
+FROM docker.elastic.co/wolfi/chainguard-base@sha256:9f940409f96296ef56140bcc4665c204dd499af4c32c96cc00e792558097c3f1
+ARG AGENT_DIR
+COPY ${AGENT_DIR} /opt/nodejs

Rather than the matrix approach?

[trentm]

Do you prefer something like this?

Yes. Personally I think that looks clearer. Are you already doing a matrix-based workflow for other APM repos?

[v1v]

Yes. Personally I think that looks clearer. Are you already doing a matrix-based workflow for other APM repos?

I did it for the APM Agent Python -> elastic/apm-agent-python#2036

But it's not merged yet and we can change it if needed.

Each agent has its own idiosyncrasy., I'm happy to change it if makes thing easier to read.

I'll apply the new changes now in this PR