ci: build and push Docker image based on Chainguard base image

[v1v]

What does this pull request do?

Release two flavours of Docker images:

• the one we always do
• the one based on Wolfi from Chainguard

Please note that we are going to preserve the current Dockerfile, so that users will still be able to build their own custom images based on Alpine: this is needed because docker.elastic.co/wolfi/chainguard-base is not a public base image, so docker build would fail for unauthenticated users.

Tests

I created a feature branch test/docker-images-wolfi:

• https://github.com/elastic/apm-agent-python/tree/test/docker-images-wolfi

Then I can test the release workflow without pushing any changes in production but generating docker images with the prefix test- and suffix if -wolfi

See https://github.com/elastic/apm-agent-python/actions/runs/9018252392

Docker images

The ones we usually release

Wolfi docker images

docker pull docker.elastic.co/observability/apm-agent-python:test-latest-wolfi

[mgreau]

grype docker.elastic.co/observability/apm-agent-python:test-latest-wolfi ✔ Vulnerability DB [no update available] ✔ Loaded image docker.elastic.co/observability/apm-agent-python:test-latest-wolfi ✔ Parsed image sha256:32f3de3da9caef11d011ceb668429b03af0b767e3c6c081a00046d7b32b55a20 ✔ Cataloged contents d58b897cdb7d844a5bf2c2808b255c11b10fe5967a9b9ebed103ef13e7281b33 ├── ✔ Packages [20 packages] ├── ✔ File digests [103 files] ├── ✔ File metadata [103 locations] └── ✔ Executables [28 executables] ✔ Scanned for vulnerabilities [0 vulnerability matches] ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible └── by status: 0 fixed, 0 not-fixed, 0 ignored No vulnerabilities found 

grype docker.elastic.co/observability/apm-agent-python:test-latest ✔ Vulnerability DB [no update available] ✔ Loaded image docker.elastic.co/observability/apm-agent-python:test-latest ✔ Parsed image sha256:7e6bf7ba25ba3896785e414cfd2a7d6ee31205b69aaeae312e27ca784be10737 ✔ Cataloged contents fed1b99e03e2726b53308feb43584a4fd1e16627fb0bc5a2299e0dfb63850eaf ├── ✔ Packages [20 packages] ├── ✔ File digests [78 files] ├── ✔ File metadata [78 locations] └── ✔ Executables [18 executables] ✔ Scanned for vulnerabilities [22 vulnerability matches] ├── by severity: 0 critical, 2 high, 16 medium, 0 low, 0 negligible (4 unknown) └── by status: 22 fixed, 0 not-fixed, 0 ignored NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY libcrypto3 3.0.8-r3 3.0.12-r0 apk CVE-2023-5363 High libcrypto3 3.0.8-r3 3.0.12-r4 apk CVE-2024-0727 Medium libcrypto3 3.0.8-r3 3.0.12-r2 apk CVE-2023-6129 Medium libcrypto3 3.0.8-r3 3.0.12-r1 apk CVE-2023-5678 Medium libcrypto3 3.0.8-r3 3.0.10-r0 apk CVE-2023-3817 Medium libcrypto3 3.0.8-r3 3.0.9-r3 apk CVE-2023-3446 Medium libcrypto3 3.0.8-r3 3.0.9-r2 apk CVE-2023-2975 Medium libcrypto3 3.0.8-r3 3.0.9-r0 apk CVE-2023-2650 Medium libcrypto3 3.0.8-r3 3.0.8-r4 apk CVE-2023-1255 Medium libcrypto3 3.0.8-r3 3.0.12-r5 apk CVE-2024-2511 Unknown libcrypto3 3.0.8-r3 3.0.12-r3 apk CVE-2023-6237 Unknown libssl3 3.0.8-r3 3.0.12-r0 apk CVE-2023-5363 High libssl3 3.0.8-r3 3.0.12-r4 apk CVE-2024-0727 Medium libssl3 3.0.8-r3 3.0.12-r2 apk CVE-2023-6129 Medium libssl3 3.0.8-r3 3.0.12-r1 apk CVE-2023-5678 Medium libssl3 3.0.8-r3 3.0.10-r0 apk CVE-2023-3817 Medium libssl3 3.0.8-r3 3.0.9-r3 apk CVE-2023-3446 Medium libssl3 3.0.8-r3 3.0.9-r2 apk CVE-2023-2975 Medium libssl3 3.0.8-r3 3.0.9-r0 apk CVE-2023-2650 Medium libssl3 3.0.8-r3 3.0.8-r4 apk CVE-2023-1255 Medium libssl3 3.0.8-r3 3.0.12-r5 apk CVE-2024-2511 Unknown libssl3 3.0.8-r3 3.0.12-r3 apk CVE-2023-6237 Unknown