puzzle · SylivanKenobi · Sep 22, 2025 · Sep 22, 2025 · Sep 22, 2025 · Sep 23, 2025
diff --git a/ci/Containerfile.helm b/ci/Containerfile.helm
@@ -1,21 +1,15 @@
-FROM registry.access.redhat.com/ubi9:9.5-1745854298
+FROM cgr.dev/chainguard/bash:latest AS base
 
-ARG HELM_PACKAGE=https://get.helm.sh/helm-v3.18.4-linux-amd64.tar.gz
-ARG HELM_UNITTEST_PACKAGE=https://github.com/helm-unittest/helm-unittest/releases/download/v0.7.0/helm-unittest-linux-amd64-0.7.0.tgz
-ARG YQ_PACKAGE=https://github.com/mikefarah/yq/releases/download/v4.44.6/yq_linux_amd64.tar.gz
+ARG HELM_UNITTEST_PACKAGE=https://github.com/helm-unittest/helm-unittest/releases/download/v1.0.1/helm-unittest-linux-amd64-1.0.1.tgz
+ARG YQ_PACKAGE=https://github.com/mikefarah/yq/releases/download/v4.47.2/yq_linux_amd64.tar.gz
 
 # Environment variables
 ENV \
     HOME="/helm" 
 
 RUN  \
-    # install Helm
-    curl ${HELM_PACKAGE} -L -o /tmp/helm.tar.gz && \
-    tar xvfz /tmp/helm.tar.gz -C /tmp && \
-    cp -a /tmp/linux-amd64/helm  /usr/local/bin/helm && \
-    rm -rf /tmp/helm.tar.gz /tmp/linux-amd64 && \
     # Install Helm unittest plugin
-    mkdir -p /tmp/hut && \
+    mkdir -p /tmp/hut /usr/local/bin && \
     curl ${HELM_UNITTEST_PACKAGE} -L -o /tmp/helm-unittest.tgz && \
     tar xvfz /tmp/helm-unittest.tgz -C /tmp/hut && \
     cp /tmp/hut/untt /usr/local/bin/helm-unittest && \
@@ -29,12 +23,17 @@ RUN  \
     # make all binaries executable
     chmod +x /usr/local/bin/*
 
+RUN ls -al /usr/local/bin
+
+FROM cgr.dev/chainguard/helm:latest-dev AS prod
+
+USER root
+
+COPY --from=base /usr/local/bin/ /usr/local/bin/
+
 WORKDIR /helm
 
-RUN chown -R 1001:0 /helm && \
+RUN chown -R 65532:0 /helm && \
     chmod -R g=u /helm
 
-USER 1001
-
-ENTRYPOINT ["/usr/local/bin/helm"]
-CMD ["--help"]
+USER 65532
diff --git a/helm/main.go b/helm/main.go
@@ -14,7 +14,8 @@ import (
 	"strings"
 )
 
-const HELM_IMAGE string = "quay.io/puzzle/dagger-module-helm:latest"
+const HELM_IMAGE string = "harbor.puzzle.ch/pitc-cicd-public/helm-chainguard:latest"
+const BASH_IMAGE string = "cgr.dev/chainguard/bash:latest"
 
 type Helm struct{}
 
@@ -112,26 +113,26 @@ func (h *Helm) PackagePush(
 	}
 
 	fmt.Fprintf(os.Stdout, "☸️ Helm package and Push")
-	c := dag.Container().
-		From("harbor.puzzle.ch/pitc-cicd-public/alpine-base:latest").
-		WithDirectory("/helm", directory).
+	cHelm := dag.Container().
+		From(HELM_IMAGE).
+		WithDirectory("/helm", directory, dagger.ContainerWithDirectoryOpts{Owner: "65532"}).
 		WithWorkdir("/helm")
-	version, err := c.WithExec([]string{"sh", "-c", "helm show chart . | yq eval '.version' -"}).Stdout(ctx)
+	version, err := cHelm.WithExec([]string{"sh", "-c", "helm show chart . | yq eval '.version' -"}).Stdout(ctx)
 	if err != nil {
 		return false, err
 	}
 
 	version = strings.TrimSpace(version)
 
-	name, err := c.WithExec([]string{"sh", "-c", "helm show chart . | yq eval '.name' -"}).Stdout(ctx)
+	name, err := cHelm.WithExec([]string{"sh", "-c", "helm show chart . | yq eval '.name' -"}).Stdout(ctx)
 	if err != nil {
 		return false, err
 	}
 
 	name = strings.TrimSpace(name)
 	pkgFile := fmt.Sprintf("%s-%s.tgz", name, version)
 
-	chartExists, err := h.doesChartExistOnRepo(ctx, c, &opts, name, version)
+	chartExists, err := h.doesChartExistOnRepo(ctx, cHelm, &opts, name, version)
 	if err != nil {
 		return false, err
 	}
@@ -140,7 +141,7 @@ func (h *Helm) PackagePush(
 		return false, nil
 	}
 
-	c, err = c.WithExec([]string{"helm", "dependency", "update", "."}).
+	cHelm, err = cHelm.WithExec([]string{"helm", "dependency", "update", "."}).
 		WithExec([]string{"helm", "package", "."}).
 		WithExec([]string{"sh", "-c", "ls"}).
 		Sync(ctx)
@@ -149,9 +150,7 @@ func (h *Helm) PackagePush(
 		return false, err
 	}
 
-	c = c.
-		WithEnvVariable("REGISTRY_USERNAME", opts.Username).
-		WithSecretVariable("REGISTRY_PASSWORD", opts.Password)
+	helmDir := cHelm.Directory("/helm")
 
 	if useNonOciHelmRepo {
 		curlCmd := []string{
@@ -163,12 +162,20 @@ func (h *Helm) PackagePush(
 			opts.getRepoFqdn() + "/",
 		}
 
-		c, err = c.
+		_, err = dag.Container().
+			From(BASH_IMAGE).
+			WithUser("65532").
+			WithEnvVariable("REGISTRY_USERNAME", opts.Username).
+			WithSecretVariable("REGISTRY_PASSWORD", opts.Password).
+			WithDirectory("/helm", helmDir, dagger.ContainerWithDirectoryOpts{Owner: "65532"}).
+			WithWorkdir("/helm").
 			WithExec([]string{"sh", "-c", strings.Join(curlCmd, " ")}).
 			Sync(ctx)
 	} else {
-		c, err = c.
+		cHelm, err = cHelm.
 			WithEnvVariable("REGISTRY_URL", opts.Registry).
+			WithEnvVariable("REGISTRY_USERNAME", opts.Username).
+			WithSecretVariable("REGISTRY_PASSWORD", opts.Password).
 			WithExec([]string{"sh", "-c", `echo ${REGISTRY_PASSWORD} | helm registry login ${REGISTRY_URL} --username ${REGISTRY_USERNAME} --password-stdin`}).
 			WithExec([]string{"helm", "push", pkgFile, opts.getRepoFqdn()}).
 			WithoutSecretVariable("REGISTRY_PASSWORD").
@@ -256,12 +263,12 @@ func (h *Helm) doesChartExistOnRepo(
 		}
 
 		//TODO: Refactor with return
-		c, err = c.WithExec([]string{"sh", "-c", fmt.Sprintf("helm show chart %s --version %s; echo -n $? > /ec", opts.getChartFqdn(name), version)}).Sync(ctx)
+		c, err = c.WithExec([]string{"sh", "-c", fmt.Sprintf("helm show chart %s --version %s; echo -n $? > /tmp/ec", opts.getChartFqdn(name), version)}).Sync(ctx)
 		if err != nil {
 			return false, err
 		}
 
-		exc, err := c.File("/ec").Contents(ctx)
+		exc, err := c.File("/tmp/ec").Contents(ctx)
 		if err != nil {
 			return false, err
 		}
@@ -285,7 +292,8 @@ func (h *Helm) doesChartExistOnRepo(
 		`--silent -Iw '%{http_code}'`,
 	}
 
-	httpCode, err := c.
+	httpCode, err := dag.Container().
+		From(BASH_IMAGE).
 		WithEnvVariable("REGISTRY_USERNAME", opts.Username).
 		WithSecretVariable("REGISTRY_PASSWORD", opts.Password).
 		WithExec([]string{"sh", "-c", strings.Join(curlCmd, " ")}).
@@ -334,7 +342,7 @@ func (h *Helm) createContainer(
 ) *dagger.Container {
 	return dag.Container().
 		From(HELM_IMAGE).
-		WithDirectory("/helm", directory, dagger.ContainerWithDirectoryOpts{Owner: "1001"}).
+		WithDirectory("/helm", directory, dagger.ContainerWithDirectoryOpts{Owner: "65532"}).
 		WithWorkdir("/helm").
 		WithoutEntrypoint()
 }
diff --git a/scan-chainguard b/scan-chainguard
@@ -0,0 +1,16 @@
+
+Report Summary
+
+┌───────────────────────────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
+│                                  Target                                   │   Type   │ Vulnerabilities │ Secrets │
+├───────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ harbor.puzzle.ch/pitc-cicd-public/helm-chainguard:latest (wolfi 20230201) │  wolfi   │        0        │    -    │
+├───────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ usr/local/bin/helm-unittest                                               │ gobinary │        0        │    -    │
+├───────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
+│ usr/local/bin/yq                                                          │ gobinary │        0        │    -    │
+└───────────────────────────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
+Legend:
+- '-': Not scanned
+- '0': Clean (no security findings detected)
+