fix: add cgr.dev into known www_authenticate schemes

.bazelrc

@@ -1,6 +1,7 @@
 # Bazel settings that apply to this repository.
 # Take care to document any settings that you expect users to apply.
 # Settings that apply only to CI are in .github/workflows/ci.bazelrc
+common --enable_bzlmod
 
 build --incompatible_strict_action_env
 build --nolegacy_external_runfiles

MODULE.bazel

@@ -9,6 +9,7 @@ module(
 bazel_dep(name = "aspect_bazel_lib", version = "1.30.2")
 bazel_dep(name = "bazel_skylib", version = "1.4.1")
 bazel_dep(name = "platforms", version = "0.0.5")
+bazel_dep(name = "rules_go", version = "0.38.1")
 
 oci = use_extension("//oci:extensions.bzl", "oci")
 oci.toolchains(crane_version = "v0.14.0")
@@ -19,3 +20,22 @@ register_toolchains("@oci_crane_toolchains//:all", "@oci_crane_registry_toolchai
 bazel_dep(name = "rules_pkg", version = "0.7.0", dev_dependency = True)
 bazel_dep(name = "gazelle", version = "0.29.0", repo_name = "bazel_gazelle", dev_dependency = True)
 bazel_dep(name = "bazel_skylib_gazelle_plugin", version = "1.4.1", dev_dependency = True)
+
+bazel_dep(name = "rules_jvm_external", version = "4.5")
+
+
+# Java and other JVM languages:
+# https://github.com/bazelbuild/rules_jvm_external/blob/master/examples/bzlmod/MODULE.bazel
+# https://github.com/bazelbuild/rules_jvm_external#pinning-artifacts-and-integration-with-bazels-downloader
+maven = use_extension("@rules_jvm_external//:extensions.bzl", "maven")
+
+maven.install(
+    artifacts = ["io.grpc:grpc-all:1.51.1"],
+    lock_file = "//:maven_install.json",
+)
+
+use_repo(
+    maven,
+    "maven",
+    "unpinned_maven",
+)

README.md

@@ -1,6 +1,11 @@
-# Bazel rules for OCI containers
-
-This is a "barebones" alternative to [rules_docker](https://github.com/bazelbuild/rules_docker).
+Experimental fork of `rules_oci` with support for Chainguard Images.
+
+- Has upstream PRs included to address authentication issues: 
+   - https://github.com/bazel-contrib/rules_oci/pull/237
+   - https://github.com/bazel-contrib/rules_oci/pull/238
+- Contains Go & Java examples - see `examples/`
+  - Also has `distroless` targets for comparison
+- `fetch.bzl` knows about example base images, such as `@chainguard_static`
 
 We start from first principles and avoided some pitfalls we learned in maintaining that repo:
 

WORKSPACE

@@ -17,7 +17,7 @@ load("//oci:repositories.bzl", "LATEST_CRANE_VERSION", "LATEST_ZOT_VERSION", "oc
 oci_register_toolchains(
     name = "oci",
     crane_version = LATEST_CRANE_VERSION,
-    zot_version = LATEST_ZOT_VERSION,
+#    zot_version = LATEST_ZOT_VERSION,
 )
 
 load("//cosign:repositories.bzl", "cosign_register_toolchains")

examples/go/.bazelrc

@@ -0,0 +1 @@
+common --enable_bzlmod

examples/go/.bazelversion

@@ -0,0 +1 @@
+6.1.2

examples/go/.gitignore

@@ -0,0 +1,2 @@
+node_modules
+bazel-*

examples/go/BUILD.bazel

@@ -0,0 +1,113 @@
+load("//oci:defs.bzl", "oci_image", "oci_tarball")
+load("@rules_pkg//:pkg.bzl", "pkg_tar")
+load("@aspect_bazel_lib//lib:testing.bzl", "assert_contains")
+load(":transition.bzl", "multi_arch")
+load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
+
+go_library(
+    name = "app_lib",
+    srcs = ["main.go"],
+    importpath = "example.com/custom_registry/app",
+    visibility = ["//visibility:private"],
+    deps = ["@com_github_google_go_cmp//cmp"],
+)
+
+go_binary(
+    name = "app",
+    embed = [":app_lib"],
+    visibility = ["//visibility:public"],
+)
+
+pkg_tar(
+    name = "app_layer",
+    srcs = [":app"],
+    # If the binary depends on RUNFILES, uncomment the attribute below.
+    # include_runfiles = True
+)
+
+# distroless demo (static) ##############################################################
+oci_image(
+    name = "distroless_static_image",
+    base = "@distroless_static",
+    entrypoint = ["/app"],
+    tars = [":app_layer"],
+)
+
+# bazel build :distroless_static_tar
+# docker load --input ../../bazel-bin/examples/go/distroless_static_tar/tarball.tar  
+# docker run --rm distroless_static:example
+oci_tarball(
+    name = "distroless_static_tar",
+    image = ":distroless_static_image",
+    repo_tags = ["distroless_static:example"],
+)
+
+# distroless demo (dynamic) ##############################################################
+oci_image(
+    name = "distroless_dynamic_image",
+    base = "@distroless_base_nossl",
+    entrypoint = ["/app"],
+    tars = [":app_layer"],
+)
+
+# bazel build :distroless_dynamic_tar
+# docker load --input ../../bazel-bin/examples/go/distroless_dynamic_tar/tarball.tar  
+# docker run --rm distroless_dynamic:example
+oci_tarball(
+    name = "distroless_dynamic_tar",
+    image = ":distroless_dynamic_image",
+    repo_tags = ["distroless_dynamic:example"],
+)
+
+# chainguard demo (static) ##############################################################
+oci_image(
+    name = "chainguard_static_image",
+    base = "@chainguard_static",
+    entrypoint = ["/app"],
+    tars = [":app_layer"],
+)
+
+# bazel build :chainguard_static_tar
+# docker load --input ../../bazel-bin/examples/go/chainguard_static_tar/tarball.tar  
+# docker run --rm chainguard_static:example
+oci_tarball(
+    name = "chainguard_static_tar",
+    image = ":chainguard_static_image",
+    repo_tags = ["chainguard_static:example"],
+)
+
+
+# chainguard demo (dynamic musl) ##############################################################
+oci_image(
+    name = "chainguard_musl_dynamic_image",
+    base = "@chainguard_musl_dynamic",
+    entrypoint = ["/app"],
+    tars = [":app_layer"],
+)
+
+# bazel build :chainguard_dynamic_tar
+# docker load --input ../../bazel-bin/examples/go/chainguard_musl_dynamic_tar/tarball.tar  
+# docker run --rm chainguard_musl_dynamic:example
+oci_tarball(
+    name = "chainguard_musl_dynamic_tar",
+    image = ":chainguard_musl_dynamic_image",
+    repo_tags = ["chainguard_musl_dynamic:example"],
+)
+
+# chainguard demo (dynamic glibc) ##############################################################
+oci_image(
+    name = "chainguard_glibc_dynamic_image",
+    base = "@chainguard_glibc_dynamic",
+    entrypoint = ["/app"],
+    tars = [":app_layer"],
+)
+
+# bazel build :chainguard_glibc_dynamic_tar
+# docker load --input ../../bazel-bin/examples/go/chainguard_glibc_dynamic_tar/tarball.tar  
+# docker run --rm chainguard_glibc_dynamic_musl:example
+oci_tarball(
+    name = "chainguard_glibc_dynamic_tar",
+    image = ":chainguard_glibc_dynamic_image",
+    repo_tags = ["chainguard_glibc_dynamic:example"],
+)
+

examples/go/go.mod

@@ -0,0 +1,5 @@
+module example.com/mod
+
+go 1.17
+
+require github.com/google/go-cmp v0.5.9

examples/go/go.sum

@@ -0,0 +1,2 @@
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=

examples/go/main.go

@@ -0,0 +1,10 @@
+package main		
+
+import (		
+	"fmt"		
+	"github.com/google/go-cmp/cmp"		
+)		
+
+func main() {		
+    fmt.Println(cmp.Diff("Hello World", "Hello Go"))		
+}

examples/go/measure-bazel-target

@@ -0,0 +1,8 @@
+#!/bin/sh
+# Measure a bazel target by size and CVE count
+set -eux -o pipefail
+bazel build :${1}_tar
+docker load --input ../../bazel-bin/examples/go/${1}_tar/tarball.tar
+dive $1:example
+grype $1:example
+

examples/go/test.yaml

@@ -0,0 +1,5 @@
+schemaVersion: 2.0.0
+commandTests:
+  - name: 'test'
+    command: '/app'
+    expectedOutput: ['"Hello World"']

examples/go/transition.bzl

@@ -0,0 +1,27 @@
+"a rule transitioning an oci_image to multiple platforms"
+
+def _multiarch_transition(settings, attr):
+    return [
+        {"//command_line_option:platforms": str(platform)}
+        for platform in attr.platforms
+    ]
+
+multiarch_transition = transition(
+    implementation = _multiarch_transition,
+    inputs = [],
+    outputs = ["//command_line_option:platforms"],
+)
+
+def _impl(ctx):
+    return DefaultInfo(files = depset(ctx.files.image))
+
+multi_arch = rule(
+    implementation = _impl,
+    attrs = {
+        "image": attr.label(cfg = multiarch_transition),
+        "platforms": attr.label_list(),
+        "_allowlist_function_transition": attr.label(
+            default = "@bazel_tools//tools/allowlists/function_transition_allowlist",
+        ),
+    },
+)

examples/java/.bazelrc

@@ -0,0 +1 @@
+common --enable_bzlmod

examples/java/.bazelversion

@@ -0,0 +1 @@
+6.1.2

examples/java/BUILD.bazel

@@ -0,0 +1,64 @@
+load("@rules_oci//oci:defs.bzl", "oci_image", "oci_tarball")
+load("@rules_pkg//:pkg.bzl", "pkg_tar")
+
+pkg_tar(
+    name = "tar",
+    # Bring the java_binary
+    srcs = ["//src/main/java/com/example:JavaLoggingClient_deploy.jar"],
+    include_runfiles = True,
+    strip_prefix = ".",
+)
+
+# distroless demo ##################################################
+oci_image(
+    name = "distroless_image",
+    base = "@distroless_java",
+    entrypoint = [
+        "java",
+        "-jar",
+        "/src/main/java/com/example/JavaLoggingClient_deploy.jar",
+    ],
+    tars = [":tar"],
+)
+
+oci_tarball(
+    name = "distroless_tar",
+    image = ":distroless_image",
+    repo_tags = ["distroless:example"],
+)
+
+
+# chainguard demo #######################################################
+oci_image(
+    name = "chainguard_jre_image",
+    base = "@chainguard_jre",
+    entrypoint = [
+        "java",
+        "-jar",
+        "/src/main/java/com/example/JavaLoggingClient_deploy.jar",
+    ],
+    tars = [":tar"],
+)
+
+oci_tarball(
+    name = "chainguard_jre_tar",
+    image = ":chainguard_jre_image",
+    repo_tags = ["chainguard_jre:example"],
+)
+
+oci_image(
+    name = "chainguard_jdk_image",
+    base = "@chainguard_jdk",
+    entrypoint = [
+        "java",
+        "-jar",
+        "/src/main/java/com/example/JavaLoggingClient_deploy.jar",
+    ],
+    tars = [":tar"],
+)
+
+oci_tarball(
+    name = "chainguard_jdk_tar",
+    image = ":chainguard_jdk_image",
+    repo_tags = ["chainguard_jdk:example"],
+)

examples/java/README.md

@@ -0,0 +1,13 @@
+# OCI image with a Java application
+
+Illustrates a replacement for https://github.com/bazelbuild/rules_docker#java_image
+
+This uses a simple method of building the `*_deploy.jar` from Bazel's `java_binary` rule, which is
+a single file that has all the third-party dependencies built-in and includes a self-contained
+classpath and launcher for the application.
+
+A more sophisticated approach would require something similar to how rules_docker assembles a
+classpath and invokes `java -cp [classpath] [main_class]`
+https://github.com/bazelbuild/rules_docker/blob/8e70c6bcb584a15a8fd061ea489b933c0ff344ca/java/image.bzl#L178-L212
+so that the third-party dependencies could be placed in a separate layer from the application,
+which would optimize for network traffic required to update just the application layer.

examples/java/measure-bazel-target

@@ -0,0 +1,8 @@
+#!/bin/sh
+# Measure a bazel target by size and CVE count
+set -eux -o pipefail
+bazel build :${1}_tar
+docker load --input ../../bazel-bin/examples/java/${1}_tar/tarball.tar
+dive $1:example
+grype $1:example
+

examples/java/test.yaml

@@ -0,0 +1,6 @@
+schemaVersion: 2.0.0
+commandTests:
+  - name: test
+    command: java
+    args: ['-jar', '/src/main/java/com/example/JavaLoggingClient_deploy.jar']
+    expectedOutput: ['Sending message to server']

fetch.bzl

@@ -127,3 +127,18 @@ def fetch_images():
         name = "fluxcd_flux",
         image = "docker.io/fluxcd/flux:1.25.4",
     )
+
+    oci_pull(
+        name = "chainguard_static",
+        image = "cgr.dev/chainguard/static",
+        platforms = [
+            "linux/amd64",
+            "linux/arm",
+            "linux/arm64",
+            "linux/ppc64le",
+            "linux/riscv64",
+            "linux/s390x",
+        ],
+        tag = "latest",
+        reproducible = False,
+    )