Thanks for your interest in improving the tempus.build runner images.
Contributions are accepted under the repository license, Apache-2.0. By submitting a
PR you certify the Developer Certificate of Origin; sign off
each commit (git commit -s, adds a Signed-off-by: trailer). No CLA is required.
Requires Docker, just, and
pre-commit. After cloning:
just hooks # install the pre-commit git hookjust ci # everything CI runs: lint + build/test/scan of both imagesOr piecewise: just lint, just test / just scan (full image, builds it first),
just test-minimal / just scan-minimal (minimal image); just --list shows all recipes.
The same set runs in CI — PRs must be green on the test workflow.
- Pin everything. Base image by
sha256:digest, every tool/toolchain by exact version, GitHub Actions by commit SHA. Never:latestor floating tags. Downloaded artifacts are verified by SHA256/512, or installed from key-verified vendor apt repositories. - Security baseline. Run as the unprivileged
runneruser; no secrets in layers, ENV, or ARG; clean the apt cache in the sameRUN; avoid unnecessary surface (no stray setuid). - CVEs. The build fails on fixable HIGH/CRITICAL. Prefer fixing over suppressing;
documented exceptions go in
.trivyignore.yamlwith astatementandexpired_at. - Comments are English, written only where they add non-obvious context — no decorative banners, no restating the obvious.
- Shell scripts start with
set -euo pipefail.
Before bumping a version, check the upstream release/manifest. Renovate proposes version bumps
(see renovate.json) but does not recompute the paired *_SHA256/*_SHA512 — recompute and
update the hash in the same PR. Toolcache versions come from their upstream manifests
(go.dev/dl, actions/python-versions, actions/node-versions, ruby/ruby-builder, …).
Do not open a public issue for a vulnerability — see SECURITY.md.