Build Wolfi images

[willdollman]

We have packages, we have base images, so let's build some actual runnable images!

This PR is my main branch for building Wolfi-based versions of our first-party docker images.

Progress tracked in https://github.com/sourcegraph/security/issues/447

Notes for reviewers

Reviewing does not need to be comprehensive (so don't worry about inspecting every single build script or dockerfile!), as I'll be doing a full verification of each image prior to merging. Helpful feedback would be on any patterns you think could be improved.

One area that could use improvement is duplication in the wolfi-images/ directory - we could use some YAML templating here.

For each image there's a:

• build-wolfi.sh alongside the standard build.sh script. Changes are minimal, and in most cases just change docker build -f Dockerfile [...] to Dockerfile.wolfi. In a few cases they remove unneeded build scripts, such as install-ctags.sh
• Dockerfile.wolfi which contains the bulk of the changes

The apko build definitions are in the wolfi-images/ directory. Simple images without additional package requirements rely on wolfi-images/sourcegraph.yaml. Images that require packaged deps have their own .yaml file.

Test plan

• Green CI
• These changes will not be made live until each image undergoes full validation

• main-dry-run prior to merging https://buildkite.com/sourcegraph/sourcegraph/builds/214773#_

[sourcegraph-bot]

Codenotify: Notifying subscribers in CODENOTIFY files for diff 2228b36...b4e44bb.

Notify	File(s)
@bobheadxi	docker-images/cadvisor/Dockerfile.wolfi docker-images/cadvisor/build-wolfi.sh docker-images/prometheus/Dockerfile.wolfi docker-images/prometheus/build-wolfi.sh enterprise/dev/ci/internal/ci/pipeline.go enterprise/dev/ci/internal/ci/wolfi_operations.go enterprise/dev/ci/scripts/wolfi/build-base-image.sh
@efritz	cmd/worker/Dockerfile.wolfi cmd/worker/build-wolfi.sh cmd/worker/build.sh enterprise/cmd/migrator/build-wolfi.sh enterprise/cmd/precise-code-intel-worker/Dockerfile.wolfi enterprise/cmd/precise-code-intel-worker/build-wolfi.sh enterprise/cmd/worker/Dockerfile.wolfi enterprise/cmd/worker/build-wolfi.sh
@indradhanush	cmd/repo-updater/Dockerfile.wolfi cmd/repo-updater/build-wolfi.sh cmd/repo-updater/build.sh enterprise/cmd/repo-updater/build-wolfi.sh
@keegancsmith	cmd/searcher/Dockerfile.wolfi cmd/searcher/build-wolfi.sh cmd/searcher/build.sh cmd/symbols/Dockerfile.wolfi cmd/symbols/build-wolfi.sh cmd/symbols/go-build-wolfi.sh
@sashaostrikov	cmd/repo-updater/Dockerfile.wolfi cmd/repo-updater/build-wolfi.sh cmd/repo-updater/build.sh
@sourcegraph/delivery	docker-images/postgres-12-alpine/Dockerfile.wolfi docker-images/postgres-12-alpine/build-wolfi.sh docker-images/postgres-12-alpine/rootfs/postgres-wolfi.sh

[sourcegraph-bot]

Codenotify: Notifying subscribers in OWNERS files for diff 2228b36...b4e44bb.

Notify	File(s)
@sourcegraph/dev-experience	enterprise/dev/ci/internal/ci/pipeline.go enterprise/dev/ci/internal/ci/wolfi_operations.go enterprise/dev/ci/scripts/wolfi/build-base-image.sh

[jhchabran]

It's great to finally see this land 😊

I've noticed that in some cases, the bazel building process is not ported. I think that's fine, because we'll need to update those things anyway because wolfi isn't running musl, so we got to tweak a few of them anyway.

And we haven't fully landed those either, so we can update them afterward, I don't think it would be wise to delay landing and testing this because of it.

[jhchabran]

You didn't port the bazel build in that one?

[willdollman]

I've just been tracking what the build.sh script on main does, and for this image it doesn't use bazel - https://github.com/sourcegraph/sourcegraph/blob/main/cmd/frontend/build.sh

[jhchabran]

Yeah, that's because in our branch, it's done in a build-bazel.sh