docker

package
v0.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 27, 2026 License: AGPL-3.0, AGPL-3.0-only Imports: 30 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CleanupCrucibleImages 

func CleanupCrucibleImages(ctx context.Context, tags ...string) error

CleanupCrucibleImages removes temporary crucible images. Best-effort; errors are returned but should never downgrade a successful crucible result. Does not use --force to avoid removing images that a user may have manually tagged from the crucible output.

func CosignAttest 

func CosignAttest(ctx context.Context, digestRef, predicatePath, keyPath string) error

CosignAttest attests a predicate against an image digest ref using cosign. The digestRef must be in the form repo@sha256:... — tags are never used.

func CosignAvailable 

func CosignAvailable() bool

CosignAvailable returns true if cosign is on PATH.

func CosignSign 

func CosignSign(ctx context.Context, digestRef, keyPath string, multiArch bool) error

CosignSign signs an image digest ref using cosign. The digestRef must be in the form repo@sha256:... — tags are never used.

func CrucibleTag 

func CrucibleTag(purpose, runID string) string

CrucibleTag returns a namespaced temporary image tag for crucible. Uses stagefreight/crucible-* namespace to prevent accidental pushes.

func ImageBinaryHash 

func ImageBinaryHash(ctx context.Context, image string) (string, error)

ImageBinaryHash extracts the sha256 hash of /usr/local/bin/stagefreight from a local docker image.

func ImageDigest 

func ImageDigest(ctx context.Context, image string) (string, error)

ImageDigest returns the local image ID (config digest) via docker inspect.

func ImageEnvFingerprint 

func ImageEnvFingerprint(ctx context.Context, image string) (string, error)

ImageEnvFingerprint returns an informational hash of the execution environment inside a docker image. Non-authoritative.

func ImageLabel 

func ImageLabel(ctx context.Context, image, label string) (string, error)

ImageLabel reads a specific OCI label from a local image via docker inspect.

func ImageVersion 

func ImageVersion(ctx context.Context, image string) (string, error)

ImageVersion extracts the stagefreight version string from a local docker image.

func IsMultiPlatform 

func IsMultiPlatform(step build.BuildStep) bool

IsMultiPlatform returns true if the step targets more than one platform. Multi-platform builds cannot use --load (buildx limitation).

func ParseBuildxOutput 

func ParseBuildxOutput(output string) []build.LayerEvent

ParseBuildxOutput parses captured buildx --progress=plain output into layer events. Only meaningful build layers are returned (FROM, COPY, RUN, etc.). Internal steps (load build definition, load .dockerignore, metadata) are filtered out.

func ParseMetadataDigest 

func ParseMetadataDigest(metadataFile string) (string, error)

ParseMetadataDigest parses the digest from a buildx --metadata-file JSON output.

func ResolveCosignKey 

func ResolveCosignKey() string

ResolveCosignKey finds the cosign signing key path. Checks COSIGN_KEY env var first, then .stagefreight/cosign.key.

func ResolveDigest 

func ResolveDigest(ctx context.Context, ref string) (string, error)

ResolveDigest queries the registry for the manifest digest of a pushed image.

func ResolveLocalDigest 

func ResolveLocalDigest(ctx context.Context, ref string) (string, error)

ResolveLocalDigest extracts the pushed digest from a locally loaded image via docker inspect RepoDigests. This is a fallback for when buildx imagetools inspect can't reach the registry. Only returns a digest that matches the requested ref's registry/path to prevent cross-ref confusion.

func Run 

func Run(req Request) error

Run is the entry point for docker build orchestration. It replaces the former runDockerBuild cobra handler body.

Types

type ArgDecl 

type ArgDecl struct {
	Name    string
	Default string
	Line    string // original instruction text
}

ArgDecl holds a parsed Dockerfile ARG with its default value.

type Buildx 

type Buildx struct {
	Verbose bool
	Stdout  io.Writer
	Stderr  io.Writer
}

Buildx wraps docker buildx commands.

func NewBuildx 

func NewBuildx(verbose bool) *Buildx

NewBuildx creates a Buildx runner with default output writers.

func (*Buildx) Build 

func (bx *Buildx) Build(ctx context.Context, step build.BuildStep) (*build.StepResult, error)

Build executes a single build step via docker buildx. When ParseLayers is true, buildx runs with --progress=plain and the output is parsed into layer events for structured display.

func (*Buildx) BuildWithLayers 

func (bx *Buildx) BuildWithLayers(ctx context.Context, step build.BuildStep) (*build.StepResult, []build.LayerEvent, error)

BuildWithLayers executes a build step and parses the output for layer events. Uses --progress=plain to get parseable output. The original Stdout/Stderr writers receive the raw output; layer events are parsed from the stderr copy.

func (*Buildx) EnsureBuilder 

func (bx *Buildx) EnsureBuilder(ctx context.Context) error

EnsureBuilder checks that a buildx builder is available and creates one if needed.

func (*Buildx) Login 

func (bx *Buildx) Login(ctx context.Context, registries []build.RegistryTarget) error

Login authenticates to registries that have a credentials label configured. The Credentials field on each RegistryTarget is a user-chosen env var prefix: 

credentials: DOCKERHUB_PRPLANIT  →  DOCKERHUB_PRPLANIT_USER / DOCKERHUB_PRPLANIT_PASS
credentials: GHCR_ORG            →  GHCR_ORG_USER / GHCR_ORG_PASS

No credentials field → no login attempted (public or pre-authenticated). If credentials are configured but the env vars are missing, Login returns an error.

func (*Buildx) PushTags 

func (bx *Buildx) PushTags(ctx context.Context, tags []string) (int, error)

PushTags pushes already-loaded local images to their remote registries. Used in single-platform load-then-push strategy where buildx builds with --load first, then we push each remote tag explicitly.

Returns the count of successfully pushed tags and the first error encountered. On full success: (len(tags), nil). On failure: (N, *PushError) where tags[:N] succeeded and tags[N] failed. Callers can retry with tags[pushed:].

func (*Buildx) Save 

func (bx *Buildx) Save(ctx context.Context, imageRef string, outputPath string) error

Save exports a loaded image as a tarball for downstream scanning and attestation. The image must be loaded into the daemon first (--load or docker load).

type CrucibleCheck 

type CrucibleCheck struct {
	Name   string // e.g. "binary hash", "version", "image digest"
	Status string // "match", "differs", "unavailable"
	Detail string // e.g. "sha256:abc123..."
}

CrucibleCheck is a single verification data point.

func (CrucibleCheck) IsHardFailure 

func (c CrucibleCheck) IsHardFailure() bool

IsHardFailure returns true if this check's failure should fail the crucible.

type CrucibleOpts 

type CrucibleOpts struct {
	Image      string   // pass-1 candidate image ref
	FinalTag   string   // tag for the verification artifact
	RepoDir    string   // absolute path to repo root (mounted into container)
	ExtraFlags []string // original user flags minus --build-mode
	EnvVars    []string // credential and CI env vars to forward (KEY=VALUE)
	RunID      string   // correlates passes in logs
	Verbose    bool
}

CrucibleOpts configures the pass-2 container invocation.

type CrucibleResult 

type CrucibleResult struct {
	Passed        bool
	ExitCode      int
	FinalImageRef string
}

CrucibleResult captures the outcome of a pass-2 invocation.

func RunCrucible 

func RunCrucible(ctx context.Context, opts CrucibleOpts) (*CrucibleResult, error)

RunCrucible executes pass 2 inside the pass-1 candidate image. It streams stdout/stderr directly — pass-2 output is the canonical build log.

type CrucibleVerification 

type CrucibleVerification struct {
	ArtifactChecks  []CrucibleCheck
	ExecutionChecks []CrucibleCheck
	TrustLevel      string
}

CrucibleVerification holds the complete verification result.

func VerifyCrucible 

func VerifyCrucible(ctx context.Context, pass1Image, pass2Image string) (*CrucibleVerification, error)

VerifyCrucible compares pass-1 and pass-2 images to determine trust level. Uses promoted identity helpers from image_inspect.go for all inspections.

func (*CrucibleVerification) HasHardFailure 

func (cv *CrucibleVerification) HasHardFailure() bool

HasHardFailure returns true if any check is a hard failure.

type InventoryResult 

type InventoryResult struct {
	BaseImages []PackageInfo // normalized primary base image versions from FROM refs
	Lineage    []PackageInfo // inferred distro lineage from tag suffixes
	Packages   []PackageInfo // all discovered packages
	Args       []ArgDecl     // ARG declarations with defaults
}

InventoryResult holds all extracted packages grouped by manager.

func ExtractInventory 

func ExtractInventory(dockerfilePath string) (*InventoryResult, error)

ExtractInventory parses a Dockerfile and extracts package inventory. This is the main entry point for inventory extraction.

type PackageInfo 

type PackageInfo struct {
	Name       string // package name
	Version    string // version if known, empty otherwise
	Pinned     bool   // true if version is explicitly pinned
	Source     string // broad category: "dockerfile", "dockerfile_arg", "base_image"
	SourceRef  string // narrow origin: the actual instruction or ARG declaration
	Manager    string // package manager name: "apk", "pip", "npm", "go", "galaxy", "binary", "base", "apt"
	Confidence string // "inferred" for heuristic-derived items, empty for authoritative
	URL        string // download URL for binary installs
	Stage      string // stage name from "AS <name>", empty for unnamed stages
	Final      bool   // true if this is from the last FROM stage (the shipped image)
}

PackageInfo represents a discovered package/dependency from Dockerfile analysis. This is the build package's internal model — manifest generation converts these to schema types. Keeps the build package reusable without circular coupling.

type PushError 

type PushError struct {
	Tag      string // fully qualified ref that failed
	ExitCode int    // process exit code (1 if not determinable)
	Stderr   string // stderr from the failed push only
	Cause    error  // underlying exec error
}

PushError is the structured error from a failed docker push. Implements error — PushTags return type stays (int, error).

func (*PushError) Error 

func (e *PushError) Error() string

func (*PushError) Unwrap 

func (e *PushError) Unwrap() error

type Request 

type Request struct {
	Context    context.Context
	RootDir    string
	Config     *config.Config
	Verbose    bool
	Local      bool
	Platforms  []string
	Tags       []string
	Target     string
	BuildID    string
	SkipLint   bool
	DryRun     bool
	BuildMode  string
	ConfigFile string // forwarded by crucible to inner build
	Stdout     io.Writer
	Stderr     io.Writer
}

Request holds all inputs for a docker build pipeline run. Every field that previously came from a package-global variable is explicitly passed here, eliminating hidden coupling to cobra flag state.

type VerificationArtifact 

type VerificationArtifact struct {
	Tag string // e.g. "stagefreight/crucible-verify:<run-id>"
}

VerificationArtifact encapsulates the extra --tag + --local added to pass 2 for post-build verification. Centralizes the concept so it isn't ad-hoc flag munging scattered across call sites.

func (VerificationArtifact) AppendFlags 

func (va VerificationArtifact) AppendFlags() []string

AppendFlags returns the flags needed to produce the verification artifact.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.