feat(zig): add Zig Dockerfile templates#17
Merged
Merged
Conversation
Implements issue #11. Zig's tarball distribution requires explicit SHA-256 verification — there is no package-manager signature chain — so both Dockerfiles download the official tarball and verify it with sha256sum before extracting. - Dockerfile.zig: debian:bookworm-slim builder downloads and verifies Zig 0.16.0 tarball (SHA-256 pinned per arch); builds with ARG ZIG_OPTIMIZE=ReleaseSafe; runtime distroless/static-debian12:nonroot (fully-static: Zig bundles musl libc by default) - Dockerfile.zig.chainguard: cgr.dev/chainguard/wolfi-base builder (cgr.dev/chainguard/zig is a paid tier); same tarball install pattern; runtime cgr.dev/chainguard/static; apk versions pinned (DL3018); SHELL set to /bin/ash -eo pipefail (DL4006) for busybox compatibility - Dockerfile.devcontainer: mcr.microsoft.com/devcontainers/base:1-bookworm with Zig + ZLS 0.16.0 (prebuilt binary from zigtools/zls releases), gdb, lldb, valgrind; both toolchain installs SHA-256 verified - .devcontainer/devcontainer.json: ziglang.vscode-zig, vscode-lldb; zig.path and zig.zls.path wired to installed binaries - .dockerignore: excludes zig-cache/, .zig-cache/, zig-out/ - README.md: tarball supply-chain rationale, optimize modes table, zig build vs zig build-exe, cross-compilation, version upgrade guide, libc linking note, hardening checklist Closes #11
The devcontainer comment claimed both Zig and ZLS were SHA-256 verified but the ZLS install block was missing the sha256sum check. Add the per-arch SHA-256 values (0.16.0 x86_64 and aarch64) and the verification step, consistent with the Zig tarball install above it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Dockerfile.zig—debian:bookworm-slimbuilder downloads and SHA-256-verifies the Zig 0.16.0 tarball (pinned per arch: x86_64 + aarch64); builds withARG ZIG_OPTIMIZE=ReleaseSafe; runtimegcr.io/distroless/static-debian12:nonroot(fully-static: Zig bundles musl libc)Dockerfile.zig.chainguard—cgr.dev/chainguard/wolfi-basebuilder (cgr.dev/chainguard/zigis a paid tier); same tarball install pattern; runtimecgr.dev/chainguard/static; apk versions pinned (DL3018);SHELL /bin/ash -eo pipefail(DL4006)Dockerfile.devcontainer—mcr.microsoft.com/devcontainers/base:1-bookwormwith Zig 0.16.0 + ZLS 0.16.0 (prebuilt binary from zigtools/zls releases),gdb,lldb,valgrind.devcontainer/devcontainer.json—ziglang.vscode-zig,vadimcn.vscode-lldb;zig.pathandzig.zls.pathwired to installed binaries.dockerignore— excludeszig-cache/,.zig-cache/,zig-out/README.md— tarball supply-chain rationale, SHA-256 upgrade guide, optimize modes table,zig buildvszig build-exe, cross-compilation, libc linking note, hardening checklistREADME.md— Zig added to intro sentence, new Zig section, "Coming soon" updatedTest plan
npm run lintpasses (markdownlint, hadolint, prettier — all clean)docker build --build-arg BIN_NAME=<bin> -f dockerfiles/zig/Dockerfile.zig .in a Zig projectdocker build --build-arg BIN_NAME=<bin> -f dockerfiles/zig/Dockerfile.zig.chainguard .sha256sum -cdocker buildx build --platform=linux/amd64,linux/arm64 ...both build cleanlydockerfiles/zig/in VS Code Dev Containers and verifyzig version+zls --versionin terminalCloses #11