SecureBuild
DocsPackages
Docs/Building/Packages

Building packages (APK)

Package builds run Melange and produce Alpine APKs. Those artifacts are published to an APK repository your deployment serves; image builds and other consumers install from that repository using the configured URL and trust keys.

APK repository

Built packages and indexes are stored in object storage; the APK HTTP proxy serves them over HTTP and signs indexes with your RSA key. End users and build steps point apk_repository (and the app's public APK URL) at that HTTP origin. See Infrastructure for the APK proxy, buckets, and signing key material.

Who consumes packages

  • Image builds — Container definitions install packages from your APK repository so images ship the versions SecureBuild built and indexed.
  • Other package builds — A Melange build can depend on APKs already published in your repository (for example under environment.contents.packages), so one package build consumes the outputs of another.

Configuration

YAML and environment variables for APK URLs, key names, and proxy behavior are listed in the configuration reference. For OpenSSL steps to generate signing keys, see Infrastructure — Generate a key pair.

Package (Melange)

Example recipe for gosu: the build environment pulls busybox, go, and supporting packages from that repository, then checks out upstream source and runs go/build (see Building overview for repositories / keyring):

package:
  name: gosu-1.19
  version: "1.19"
  epoch: 0
  description: Simple Go-based setuid+setgid+setgroups+exec
  dependencies:
    provides:
      - gosu=${{package.full-version}}

environment:
  contents:
    repositories:
      - https://apk.cve0.io
    keyring:
      - https://apk.cve0.io/key/cve0-signing.rsa.pub
    packages:
      - busybox
      - ca-certificates-bundle
      - go
      - git
  environment:
    GOPROXY: 'https://proxy.golang.org,direct'
    GOSUMDB: 'sum.golang.org'

pipeline:
  - uses: git-checkout
    with:
      repository: https://github.com/tianon/gosu
      tag: ${{package.version}}
      expected-commit: 6456aaa0f3c854d199d0f037f068eb97515b7513

  - uses: go/build
    with:
      packages: .
      output: gosu

  - uses: strip

Next: images

After packages are available in the repository, image builds pull them as needed. Read Building container images for registry push and verification.

Building overviewImages

Command Palette

Search for a command to run...