Building packages & images

SecureBuild produces Alpine packages (APKs) and OCI container images from your source. Package builds feed an APK repository; image builds consume that repository and push to your registry. Use the guides below for each artifact type, and the self-hosted docs for where services run and how they are configured.

Using the public CVE0 APK repository

CVE0 hosts a public APK repository at https://apk.cve0.io. Set apk_repository / NEXT_PUBLIC_APK_REPOSITORY there when CVE0 is your default origin (see Configuration reference). In Melange and apko YAML, mirror that under repositories and keyring. Add another repository line plus the matching key URL when you also need packages from your private APK origin.

repositories:
  - https://apk.cve0.io
  - https://apk.example.com
keyring:
  - https://apk.cve0.io/key/cve0-signing.rsa.pub
  - https://apk.example.com/key/example-signing.rsa.pub

Worked Melange and apko examples are on the Packages and Images pages.

Bootstrapping your own APK repository (isolated from CVE0)

You can instead use only your own APK origin (for example https://apk.example.com) and keys you generate. Proxy, object storage, and signing keys are covered in Infrastructure and the configuration reference. There is no single recipe here; first packages depend on what you build.

• Melange pipeline steps often use runs: shell scripts—provide a POSIX shell and whatever tools those scripts need.
• BusyBox is a common minimal userspace (often wget and sh); bash is not a BusyBox applet—add it as its own package if required.
• Building from source usually declares build dependencies in the recipe (for example a C toolchain when compiling C/C++).

Guides

• Packages— how APK packages are produced, published to your APK repository, and used by image builds.
• Images— how container images are built, pushed to an OCI registry, and verified by consumers.

Related

• How It Works — detection, rebuild, and delivery at a high level.
• Infrastructure — OCI registry, APK HTTP proxy, object storage, and build backends.
• Configuration reference — Param and app environment variables.