feat: enhance containerfile / adding minimal image (#499)

Signed-off-by: SequeI <[email protected]>

Author: SequeI

.github/workflows/release.yml

@@ -75,44 +75,80 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Build Image
-        id: build_image
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        id: registry_login
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build minimal image
+        id: build_minimal_image
         uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
         with:
           containerfiles: |
             ./Containerfile
-          image: ghcr.io/sigstore/model-transparency-cli
-          tags: "latest ${{ github.event.release.tag_name }}"
+          image: sigstore/model-transparency-cli
+          tags: "${{ github.event.release.tag_name }}-minimal"
           archs: amd64
           oci: false
+          build-args: |
+            BUILD_TYPE=minimal
 
-      - id: docker_meta
+      - id: docker_meta_minimal
         uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
-          images: ${{ steps.build_image.outputs.image }}
+          images: ${{ steps.build_minimal_image.outputs.image }}
           tags: type=sha,format=long,type=ref,event=branch
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        id: registry_login
+      - name: Push minimal image to GHCR
+        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
+        id: push_minimal
         with:
+          image: ${{ steps.build_minimal_image.outputs.image }}
+          tags: ${{ steps.build_minimal_image.outputs.tags }}
           registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Push To GHCR
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
+        with:
+          subject-name: ghcr.io/sigstore/model-transparency-cli
+          subject-digest: ${{ steps.push_minimal.outputs.digest }}
+          push-to-registry: true
+
+      - name: Build full image
+        id: build_full_image
+        uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
+        with:
+          containerfiles: |
+            ./Containerfile
+          image: sigstore/model-transparency-cli
+          tags: "latest ${{ github.event.release.tag_name }}"
+          archs: amd64
+          oci: false
+          build-args: |
+            BUILD_TYPE=full
+
+      - id: docker_meta_full
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        with:
+          images: ${{ steps.build_full_image.outputs.image }}
+          tags: type=sha,format=long,type=ref,event=branch
+
+      - name: Push full image to GHCR
         uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
-        id: push
+        id: push_full
         with:
-          image: ${{ steps.build_image.outputs.image }}
-          tags: ${{ steps.build_image.outputs.tags }}
+          image: ${{ steps.build_full_image.outputs.image }}
+          tags: ${{ steps.build_full_image.outputs.tags }}
           registry: ghcr.io
 
       - name: Generate artifact attestation
         uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
         with:
           subject-name: ghcr.io/sigstore/model-transparency-cli
-          subject-digest: ${{ steps.push.outputs.digest }}
+          subject-digest: ${{ steps.push_full.outputs.digest }}
           push-to-registry: true
 
   # TODO: Create and publish release notes

CHANGELOG.md

@@ -26,6 +26,7 @@ All versions prior to 1.0.0 are untracked.
 - Added guidance to `README.md` on how to install `model-signing` with PKCS#11 support.
 - Added support trace sigstore sign and verify operations using OpenTelemetry.
 - cli: Added support for `--ignore_unsigned_files` option
+- Implemented a new, minimal container image. This variant excludes optional dependencies (like OTel and PKCS#11) to reduce footprint, focusing solely on core signing and verification mechanisms.
 
 ## [1.0.1] - 2024-04-18
 

Containerfile

@@ -1,4 +1,4 @@
-# Copyright 2024 The Sigstore Authors
+# Copyright 2025 The Sigstore Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,17 +12,43 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-"""For the stable high-level API, see model_signing.api."""
+# Default
+ARG BUILD_TYPE=minimal
 
-__version__ = "0.1.1"
+FROM python:3.13-slim AS base_builder
 
-FROM python:3.13-slim
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    g++ \
+    swig
 
-COPY pyproject.toml ./
-COPY src ./src
+FROM base_builder AS minimal_install
+WORKDIR /app
+COPY . /app
+RUN pip install .
 
-RUN python -m pip install model_signing
+FROM base_builder AS full_install
+WORKDIR /app
+COPY . /app
+RUN pip install .[pkcs11,otel]
 
-ENTRYPOINT ["/usr/local/bin/model_signing"]
+FROM python:3.13-slim AS minimal_image
+COPY --from=minimal_install /usr/local/bin /usr/local/bin
+COPY --from=minimal_install /usr/local/lib/python3.13/site-packages /usr/local/lib/python3.13/site-packages
 
+FROM python:3.13-slim AS full_image
+COPY --from=full_install /usr/local/bin /usr/local/bin
+COPY --from=full_install /usr/local/lib/python3.13/site-packages /usr/local/lib/python3.13/site-packages
+
+FROM ${BUILD_TYPE}_image AS final_image
+
+ENTRYPOINT ["model_signing"]
 CMD ["--help"]
+
+ARG APP_VERSION="1.0.1"
+
+LABEL org.opencontainers.image.title="Model Transparency Library" \
+      org.opencontainers.image.description="Supply chain security for ML" \
+      org.opencontainers.image.version="$APP_VERSION" \
+      org.opencontainers.image.authors="The Sigstore Authors <[email protected]>" \
+      org.opencontainers.image.licenses="Apache-2.0" \