chore: adding backlog of additions

.forgejo/scripts/render-readme.py

@@ -1,6 +1,7 @@
 #!/usr/bin/env python3
 import os
 import yaml
+import subprocess
 import logging
 
 from jinja2 import Environment, PackageLoader, select_autoescape
@@ -14,7 +15,6 @@ repo_name = os.getenv("REPO_NAME") or os.getenv("GITHUB_REPOSITORY", "default_re
 
 env = Environment(loader=PackageLoader("render-readme"), autoescape=select_autoescape())
 
-
 def load_metadata(file_path):
     try:
         with open(file_path, "r") as f:
@@ -25,7 +25,6 @@ def load_metadata(file_path):
         logging.error(f"File {file_path} not found.")
     return None
 
-
 def process_metadata(apps_dir):
     app_images = []
     for subdir, _, files in os.walk(apps_dir):
@@ -36,7 +35,14 @@ def process_metadata(apps_dir):
         if not meta:
             continue  # Skip if metadata couldn't be loaded
 
-        # Iterate through the channels and build image metadata
+        dockerfile_path = os.path.join(subdir, "Dockerfile")
+        docker_labels = load_docker_labels(dockerfile_path)
+
+        # Compliance check and badge setting
+        goss_file = os.path.join(subdir, "ci", "goss.yaml")
+        print(goss_file)
+        badge = run_compliance_check(goss_file)
+
         for channel in meta.get("channels", []):
             name = (
                 meta["app"]
@@ -46,13 +52,71 @@ def process_metadata(apps_dir):
             image = {
                 "name": name,
                 "channel": channel["name"],
-                "html_url": f"https://code.252.no/{repo_owner}/pkgs/container/{name}",
+                "version": meta["version"],
+                "platforms": channel["platforms"],
+                "tests_enabled": channel["tests"]["enabled"],
+                "tests_type": channel["tests"]["type"],
+                "html_url": f"https://code.252.no/{repo_owner}/containers/{name}",
                 "owner": repo_owner,
+                "maintainer": docker_labels.get("maintainer"),
+                "description": docker_labels.get("org.opencontainers.image.description"),
+                "source": docker_labels.get("org.opencontainers.image.source"),
+                "vendor": docker_labels.get("org.opencontainers.image.vendor"),
+                "authors": docker_labels.get("org.opencontainers.image.authors"),
+                "badge": badge,
             }
             app_images.append(image)
-            logging.info(f"Added image {name} from channel {channel['name']}")
+            logging.info(f"Added image {name} from channel {channel['name']} with badge {badge}")
     return app_images
 
+def load_docker_labels(dockerfile_path):
+    labels = {}
+    try:
+        with open(dockerfile_path, "r") as f:
+            for line in f:
+                if line.startswith("LABEL"):
+                    label_parts = line.split("=", 1)
+                    if len(label_parts) == 2:
+                        key, value = label_parts
+                        key = key.replace("LABEL ", "").strip().replace("\"", "")
+                        value = value.strip().replace("\"", "")
+                        labels[key] = value
+    except FileNotFoundError:
+        logging.warning(f"Dockerfile {dockerfile_path} not found.")
+    return labels
+
+def run_compliance_check(goss_file, image_name):
+    """Run compliance test using dgoss and return appropriate badge path."""
+    if not os.path.exists(goss_file):
+        logging.warning(f"Compliance file {goss_file} not found.")
+        return "assets/build-failing-red.svg"  # Default to failing badge if no compliance file
+
+    # Set up the environment variables needed for dgoss
+    env = os.environ.copy()
+    env["CONTAINER_RUNTIME"] = "docker"
+    env["GOSS_FILE"] = goss_file
+    env["GOSS_OPTS"] = "--retry-timeout 60s --sleep 2s --color --format documentation"
+    env["GOSS_SLEEP"] = "2"
+    env["GOSS_FILES_STRATEGY"] = "cp"
+
+    print("Running dgoss with file:", goss_file, "on image:", image_name)
+    
+    # Run dgoss against the container image
+    result = subprocess.run(
+        ["dgoss", "run", image_name],
+        capture_output=True,
+        env=env,
+        shell=True  # Necessary to handle dgoss's internal shell scripts
+    )
+    output = result.stdout.decode()
+    print(output)  # Decode and print output for logging
+
+    if result.returncode == 0:
+        logging.info(f"Compliance check passed for {goss_file}")
+        return "assets/badges/build-passing-brightgreen.svg"
+    else:
+        logging.error(f"Compliance check failed for {goss_file}")
+        return "assets/build-failing-red.svg"
 
 if __name__ == "__main__":
     apps_dir = "./apps"

.forgejo/scripts/templates/README.org.j2

@@ -8,7 +8,7 @@
 #+BEGIN_EXPORT html
 <div align="center">
 <h1>Container Collection</h1>
-<h3>Containers for Kubernetes deployment_</h3>
+<h4>Images for Kubernetes deployments</h4>
 <img src="https://code.252.no/tommy/containers/raw/branch/main/assets/macchiato-palette.png" width="600" align="center"/>
 <p></p>
     <a href="https://nixos.wiki/wiki/Flakes" target="_blank">

.forgejo/workflows/build-images.yaml

@@ -0,0 +1,40 @@
+name: "Build and Push Images with Podman in Colima Using Custom Seccomp Profile"
+
+on:
+  push:
+    paths:
+    - 'apps/*/Dockerfile'
+  workflow_dispatch:
+
+jobs:
+  build-and-push:
+    name: Build and Push Images with Podman and Custom Seccomp Profile in Colima
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v4
+
+    - name: Install Podman Dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y podman slirp4netns fuse-overlayfs
+
+
+    - name: Build and Push Images with Custom Seccomp Profile
+      run: |
+        export REGISTRY_USER=$GITHUB_REPOSITORY_OWNER
+        export REGISTRY_PASS=$GITHUB_TOKEN
+        SEC_PROFILE=./podman-seccomp.json
+
+        for dockerfile in $(find ./apps -name Dockerfile); do
+          app_name=$(basename $(dirname $dockerfile))
+          image="code.252.no/tommy/containers/${app_name}:latest"
+
+          # Use the seccomp profile within Colima
+          sudo podman build --security-opt seccomp=unconfined --tls-verify=false -t $image -f $dockerfile
+          echo $REGISTRY_PASS | sudo podman login code.252.no -u $REGISTRY_USER --password-stdin
+          sudo podman push --security-opt seccomp=$SEC_PROFILE $image --tls-verify=false
+        done
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}

.forgejo/workflows/render-readme.yaml

@@ -25,7 +25,12 @@ jobs:
       shell: bash
       run: pip install -r ./.forgejo/scripts/requirements.txt && pip freeze
 
-    - name: Render README
+    - name: Install Goss
+      shell: bash
+      run: |
+        curl -fsSL https://goss.rocks/install | sh
+
+    - name: Run Compliance Tests and Render README
       env:
         GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
       shell: bash
@@ -40,4 +45,4 @@ jobs:
         git config --global user.email "tommy+forgejo@252.no"
         git add ./README.org
         git commit -m "chore: render README.org" || echo "No changes to commit"
-        git push https://x-access-token:${{ secrets.GITHUB_TOKEN }}@code.252.no/tommy/containers.git || echo "No changes to push"
+        #git push https://x-access-token:${{ secrets.GITHUB_TOKEN }}@code.252.no/tommy/containers.git || echo "No changes to push"

.taskfiles/docker.yaml

@@ -0,0 +1,20 @@
+version: "3"
+
+tasks:
+  create-image:
+    desc: Build local docker image (nixos-builder)
+    cmds:
+    - nerdctl build --platform linux/amd64 -t nixos-builder --no-cache apps/lix-builder
+
+  shell:
+    desc: Drop into a build shell
+    env:
+      app: "{{ .app }}"
+    cmds:
+    - nerdctl run -v "$(pwd)/apps/{{.app}}":/root/working-dir -w /root/working-dir --platform linux/amd64 -it nixos-builder -c "nix develop"
+
+  cache:
+    desc: Start an attic server
+    dir: "attic"
+    cmds:
+    - nerdctl run -it --rm --name=attic -p 8080:8080 -v ./config:/var/empty/.config/attic -v ./data:/var/empty/.local/share/attic docker.io/heywoodlh/attic

Taskfile.yaml

@@ -1,20 +1,14 @@
 version: "3"
 
 vars:
-  LABELS_CONFIG_FILE: '{{.ROOT_DIR}}/.github/labels.yaml'
+  PROJECT_DIR:
+    sh: "git rev-parse --show-toplevel"
+
+includes:
+  docker: .taskfiles/docker.yaml
 
 tasks:
   default:
-    cmd: task -l
     silent: true
-
-  append-app-labels:
-    desc: Append app labels to the labels config file
     cmds:
-    - for: {var: apps}
-      cmd: |
-        yq -i '. += [{"name": "app/{{.ITEM}}", "color": "0e8a16"}]' {{.LABELS_CONFIG_FILE}}
-    vars:
-      apps:
-        sh: for dir in {{.ROOT_DIR}}/apps/*/; do basename "${dir}"; done
-    silent: true
+    - task -l

apps/forgejo-runner/Dockerfile

@@ -1,7 +1,14 @@
 FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/tonistiigi/xx AS xx
-
 FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 as build-env
 
+LABEL maintainer="tommy@252.no"
+LABEL org.opencontainers.image.title="Forgejo Runner"
+LABEL org.opencontainers.image.description="Forgejo Runner for Kubernetes with minimal privileges"
+LABEL org.opencontainers.image.url="https://code.252.no/tommy/containers/forgejo-runner"
+LABEL org.opencontainers.image.source="https://code.252.no/tommy/containers"
+LABEL org.opencontainers.image.vendor="https://code.252.no/tommy"
+LABEL org.opencontainers.image.authors="tommy@252.no"
+
 #
 # Transparently cross compile for the target platform
 #
@@ -25,17 +32,6 @@ RUN apk add --no-cache git bash
 
 COPY --from=build-env /srv/forgejo-runner /bin/forgejo-runner
 
-LABEL maintainer="contact@forgejo.org" \
-      org.opencontainers.image.authors="Forgejo" \
-      org.opencontainers.image.url="https://forgejo.org" \
-      org.opencontainers.image.documentation="https://forgejo.org/docs/latest/admin/actions/#forgejo-runner" \
-      org.opencontainers.image.source="https://code.forgejo.org/forgejo/runner" \
-      org.opencontainers.image.version="${RELEASE_VERSION}" \
-      org.opencontainers.image.vendor="Forgejo" \
-      org.opencontainers.image.licenses="MIT" \
-      org.opencontainers.image.title="Forgejo Runner" \
-      org.opencontainers.image.description="A runner for Forgejo Actions."
-
 ENV HOME=/data
 
 USER 1000:1000

apps/forgejo-runner/ci/goss.yaml

@@ -1,4 +0,0 @@
-# yaml-language-server: $schema=https://raw.githubusercontent.com/goss-org/goss/master/docs/schema.yaml
-file:
-  /usr/bin/git:
-    exists: true

apps/forgejo-runner/metadata.yaml

@@ -1,5 +1,5 @@
 app: forgejo-runner
-versioning: calver
+version: 24.10.01
 channels:
 - name: stable
   platforms: ["linux/amd64"]

apps/kaniko/Dockerfile

@@ -0,0 +1,48 @@
+# Set the Alpine version for consistency
+ARG ALPINE_VERSION=3.20.3
+
+# First stage: Build Kaniko executor
+FROM alpine:${ALPINE_VERSION} AS kaniko-build
+
+# Install necessary tools
+RUN apk --update --no-cache add skopeo umoci
+
+# Set working directory
+WORKDIR /workdir-kaniko
+
+# Specify Kaniko version
+ARG KANIKO_VERSION=1.23.2
+
+# Copy Kaniko executor using skopeo
+RUN skopeo copy docker://gcr.io/kaniko-project/executor:v${KANIKO_VERSION} oci:kaniko:current
+
+# Unpack the Kaniko executor
+RUN umoci unpack --image kaniko:current unpacked
+
+# Second stage: Create the final image
+FROM alpine:${ALPINE_VERSION}
+
+# Add a non-root user with UID and GID 1001
+RUN addgroup -S kaniko -g 1001 && adduser -S kaniko -u 1001 -G kaniko
+
+# Create necessary directories and set ownership and permissions
+RUN mkdir -p /opt/kaniko /kaniko && \
+    chown -R kaniko:kaniko /opt/kaniko /kaniko && \
+    chmod -R 775 /opt/kaniko /kaniko
+
+# Copy the Kaniko executor from the build stage
+COPY --from=kaniko-build /workdir-kaniko/unpacked/rootfs/kaniko/executor /opt/kaniko/kaniko
+
+# Ensure the executor has the correct ownership and execute permissions
+RUN chown -R kaniko:kaniko /opt/kaniko/kaniko && \
+    chmod +x /opt/kaniko/kaniko
+
+# Set environment variables
+ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kaniko
+ENV DOCKER_CONFIG=/opt/kaniko/.docker/
+
+# Switch to the non-root user
+USER kaniko
+
+# Define the entrypoint
+ENTRYPOINT ["/opt/kaniko/kaniko"]

apps/kaniko/ci/latest.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+version=$(curl -sX GET "https://api.github.com/repos/actions/runner/releases/latest" | jq --raw-output '.tag_name')
+version="${version#*v}"
+version="${version#*release-}"
+printf "%s" "${version}"

apps/kaniko/metadata.yaml

@@ -0,0 +1,9 @@
+app: kaniko
+version: 24.10.01
+channels:
+- name: stable
+  platforms: ["linux/amd64"]
+  stable: false
+  tests:
+    enabled: true
+    type: cli

apps/kaniko/readme.org

@@ -0,0 +1,8 @@
+
+
+#+begin_src sh
+nerdctl build \
+  --platform linux/amd64 \
+  -t code.252.no/tommy/kaniko:v24.10.01 \
+  --output=type=image,name=code.252.no/tommy/kaniko:v24.10.01,push=true .
+#+end_src

apps/lix-builder/Dockerfile

@@ -0,0 +1,18 @@
+FROM nixos/nix:2.18.9
+
+LABEL maintainer="tommy@252.no"
+LABEL org.opencontainers.image.title="Nix Builder"
+LABEL org.opencontainers.image.description="Builder for Lix Flake and Snowfall environments"
+LABEL org.opencontainers.image.url="https://code.252.no/tommy/containers/lix-builder"
+LABEL org.opencontainers.image.source="https://code.252.no/tommy/containers"
+LABEL org.opencontainers.image.vendor="https://code.252.no/tommy"
+LABEL org.opencontainers.image.authors="tommy@252.no"
+
+WORKDIR /tmp/working-dir
+
+RUN echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf
+RUN nix-channel --update
+
+RUN nix-env -iA nixpkgs.go nixpkgs.vim nixpkgs.sops nixpkgs.nix-direnv nixpkgs.attic-client nixpkgs.nh nixpkgs.deploy-rs nixpkgs.statix nixpkgs.deadnix nixpkgs.alejandra nixpkgs.home-manager nixpkgs.ssh-to-age nixpkgs.gnupg nixpkgs.age nixpkgs.linux nixpkgs.go-task nixpkgs.curl nixpkgs.fish nixpkgs.nixos-anywhere nixpkgs.slirp4netns nixpkgs.podman nixpkgs.podman-tui
+
+ENTRYPOINT ["fish"]

apps/lix-builder/flake.lock

@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1730200266,
+        "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

apps/lix-builder/flake.nix

@@ -0,0 +1,88 @@
+{
+  description = "docker base images";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, flake-utils }:
+    let
+      system = "x86_64-linux";
+      pkgs = import nixpkgs { inherit system; };
+    in
+    {
+        packages = {
+          hello = pkgs.dockerTools.buildImage {
+            name = "hello-docker";
+            config = {
+              Cmd = [ "${pkgs.hello}/bin/hello" ];
+            };
+          };
+          flakes-action = pkgs.dockerTools.buildImageWithNixDb {
+            name = "code.252.no/tommy/flakes-action";
+            tag = "latest";
+            copyToRoot = pkgs.buildEnv {
+              name = "image-root";
+              pathsToLink = ["/bin" "/etc"];
+              ignoreCollisions = true;
+              paths = with pkgs; [
+                coreutils-full
+                docker
+                bash
+                cacert
+                coreutils
+                curl
+                gawk
+                gitFull
+                git-lfs
+                gnused
+                gnutar
+                gzip
+                nixVersions.stable
+                nodejs
+                openssh
+                sudo
+                wget
+                xz
+                zstd
+                (pkgs.writeTextFile {
+                  name = "nix.conf";
+                  destination = "/etc/nix/nix.conf";
+                  text = ''
+                    accept-flake-config = true
+                    experimental-features = nix-command flakes
+                  '';
+                })
+              ];
+            };
+
+            extraCommands = ''
+              # for /usr/bin/env
+              mkdir usr
+              ln -s ../bin usr/bin
+
+              # make sure /tmp exists
+              mkdir -m 1777 tmp
+
+              # need a HOME
+              mkdir -vp root
+            '';
+            config = {
+              Cmd = ["/bin/bash"];
+              Env = [
+                "NIX_PATH=nixpkgs=${nixpkgs}"
+                "LANG=en_GB.UTF-8"
+                "ENV=/etc/profile.d/nix.sh"
+                "BASH_ENV=/etc/profile.d/nix.sh"
+                "NIX_BUILD_SHELL=/bin/bash"
+                "PAGER=cat"
+                "PATH=/usr/bin:/bin"
+                "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+                "USER=root"
+              ];
+            };
+          };
+        };
+    };
+  }

apps/lix-builder/manifest.yaml

@@ -0,0 +1,102 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: builds
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/warn-version: latest
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/audit-version: latest
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kaniko
+  namespace: builds
+spec:
+  securityContext:
+    runAsUser: 1001
+    runAsGroup: 1001
+    fsGroup: 1001
+    seccompProfile:
+      type: Unconfined
+  containers:
+  - name: kaniko
+    image: code.252.no/tommy/kaniko:v24.10.01@sha256:d51c3b5c468bb070108d9e27884072f8527f20c9e41e2133621c56f62f89afc0
+    resources:
+      limits:
+        cpu: 1000m
+        memory: 2Gi
+    command: ["/opt/kaniko/kaniko"]
+    args:
+    - --dockerfile=Dockerfile
+    #- --reproducible
+    - --context=/kaniko
+    - --custom-platform=linux/amd64
+    - --destination=code.252.no/tommy/lix-builder:v24.10.01
+    #- --dockerfile=Dockerfile
+    #- --reproducible
+    #- --kaniko-dir=/workspace/kaniko
+    #- --context=/workspace
+    #- --custom-platform=linux/amd64
+    #- --destination=code.252.no/tommy/lix-builder:v24.10.01
+    #- --cache=true
+    #- --compressed-caching=false
+    #- --use-new-run
+    #- --cleanup
+    volumeMounts:
+    # - name: workspace-dir
+    #   mountPath: /workspace
+    - name: docker-config
+      mountPath: /opt/kaniko/.docker/config.json
+      subPath: config.json
+    - name: dockerfile
+      mountPath: /kaniko/Dockerfile
+      subPath: Dockerfile
+    securityContext:
+      runAsUser: 1001
+      privileged: false
+      allowPrivilegeEscalation: false
+      runAsNonRoot: true
+      capabilities:
+        drop:
+        - ALL
+        add:
+        - CHOWN
+        - FOWNER
+        - DAC_OVERRIDE
+        - SYS_ADMIN
+  restartPolicy: Never
+  volumes:
+  # - name: workspace-dir
+  #   emptyDir: {}
+  - name: docker-config
+    secret:
+      secretName: tommy-pushsecret-rw
+      items:
+      - key: .dockerconfigjson
+        path: config.json
+  - name: dockerfile
+    configMap:
+      name: dockerfile
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: dockerfile
+  namespace: builds
+data:
+  Dockerfile: |
+    FROM ghcr.io/lix-project/lix:2.91
+
+    WORKDIR /tmp/working-dir
+
+    RUN nix-env -iA nixpkgs.go nixpkgs.vim nixpkgs.sops nixpkgs.nix-direnv \
+                nixpkgs.attic-client nixpkgs.nh nixpkgs.deploy-rs nixpkgs.statix \
+                nixpkgs.deadnix nixpkgs.alejandra nixpkgs.home-manager \
+                nixpkgs.ssh-to-age nixpkgs.gnupg nixpkgs.age nixpkgs.linux \
+                nixpkgs.go-task nixpkgs.curl nixpkgs.fish nixpkgs.nixos-anywhere
+
+    ENTRYPOINT ["fish"]

apps/lix-builder/metadata.yaml

@@ -0,0 +1,9 @@
+app: lix-builder
+version: v24.10.01
+channels:
+- name: stable
+  platforms: ["linux/amd64"]
+  stable: false
+  tests:
+    enabled: true
+    type: cli

apps/lix-builder/nix.conf

@@ -0,0 +1,6 @@
+filter-syscalls = false
+experimental-features = nix-command flakes
+extra-platforms = x86_64-linux aarch64-linux
+build-users-group = nixbld
+trusted-users = root @admin @wheel vscode
+system-features = kvm big-parallel

assets/badges/build-failing-red.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="80" height="20" role="img" aria-label="build: failing"><title>build: failing</title><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="80" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="37" height="20" fill="#555"/><rect x="37" width="43" height="20" fill="#e05d44"/><rect width="80" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="195" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="270">build</text><text x="195" y="140" transform="scale(.1)" fill="#fff" textLength="270">build</text><text aria-hidden="true" x="575" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="330">failing</text><text x="575" y="140" transform="scale(.1)" fill="#fff" textLength="330">failing</text></g></svg>

assets/badges/build-passing-brightgreen.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="88" height="20" role="img" aria-label="build: passing"><title>build: passing</title><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="88" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="37" height="20" fill="#555"/><rect x="37" width="51" height="20" fill="#4c1"/><rect width="88" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="195" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="270">build</text><text x="195" y="140" transform="scale(.1)" fill="#fff" textLength="270">build</text><text aria-hidden="true" x="615" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="410">passing</text><text x="615" y="140" transform="scale(.1)" fill="#fff" textLength="410">passing</text></g></svg>

podman-seccomp.json

@@ -0,0 +1,25 @@
+{
+  "defaultAction": "SCMP_ACT_ALLOW",
+  "syscalls": [
+    {
+      "names": [
+        "keyctl",
+        "syslog",
+        "mknod",
+        "mknodat",
+        "pkey_mprotect",
+        "kexec_load",
+        "open_by_handle_at",
+        "init_module",
+        "finit_module",
+        "delete_module",
+        "bpf"
+      ],
+      "action": "SCMP_ACT_ERRNO",
+      "args": [],
+      "comment": "Deny potentially risky syscalls that could impact system integrity",
+      "includes": {},
+      "excludes": {}
+    }
+  ]
+}