Documentation
¶
Index ¶
- Constants
- Variables
- func All() []string
- func CleanupCrucibleImages(ctx context.Context, tags ...string) error
- func CosignAttest(ctx context.Context, digestRef, predicatePath, keyPath string) error
- func CosignAvailable() bool
- func CosignSign(ctx context.Context, digestRef, keyPath string, multiArch bool) error
- func CrucibleTag(purpose, runID string) string
- func DetectProvider(registryURL string) string
- func DetectVersion(rootDir string) (*gitver.VersionInfo, error)
- func EnsureCrucibleAllowed(rootDir string) error
- func EnvFingerprint() string
- func FormatLayerInstruction(e LayerEvent) string
- func FormatLayerTiming(e LayerEvent) string
- func GenerateCrucibleRunID() string
- func ImageBinaryHash(ctx context.Context, image string) (string, error)
- func ImageDigest(ctx context.Context, image string) (string, error)
- func ImageEnvFingerprint(ctx context.Context, image string) (string, error)
- func ImageLabel(ctx context.Context, image, label string) (string, error)
- func ImageVersion(ctx context.Context, image string) (string, error)
- func InjectLabels(plan *BuildPlan, labels map[string]string)
- func IsCrucibleChild() bool
- func IsMultiPlatform(step BuildStep) bool
- func NormalizeBuildPlan(plan *BuildPlan) string
- func ParseMetadataDigest(metadataFile string) (string, error)
- func Register(name string, constructor func() Engine)
- func ResolveCosignKey() string
- func ResolveDigest(ctx context.Context, ref string) (string, error)
- func ResolveLocalDigest(ctx context.Context, ref string) (string, error)
- func ResolveTags(templates []string, v *gitver.VersionInfo) []string
- func ResolveTemplate(tmpl string, v *gitver.VersionInfo) string
- func SlugifyBuildID(id string) string
- func StandardLabels(planHash, sfVersion, commit, mode, createdRFC3339 string) map[string]string
- func TruncHash(s string) string
- func TrustLevelLabel(level string) string
- func WriteDSSEProvenance(path string, stmt ProvenanceStatement) error
- func WriteProvenance(path string, stmt ProvenanceStatement) error
- func WritePublishManifest(dir string, manifest PublishManifest) error
- type ArgDecl
- type AttestationRecord
- type AttestationType
- type BuildInstance
- type BuildPlan
- type BuildResult
- type BuildStep
- type Buildx
- func (bx *Buildx) Build(ctx context.Context, step BuildStep) (*StepResult, error)
- func (bx *Buildx) BuildWithLayers(ctx context.Context, step BuildStep) (*StepResult, []LayerEvent, error)
- func (bx *Buildx) EnsureBuilder(ctx context.Context) error
- func (bx *Buildx) Login(ctx context.Context, registries []RegistryTarget) error
- func (bx *Buildx) PushTags(ctx context.Context, tags []string) error
- func (bx *Buildx) Save(ctx context.Context, imageRef string, outputPath string) error
- type CrucibleCheck
- type CrucibleOpts
- type CrucibleResult
- type CrucibleVerification
- type DSSEEnvelope
- type DSSESignature
- type Detection
- type DockerfileInfo
- type Engine
- type ExtractRule
- type GitInfo
- type InventoryResult
- type LayerEvent
- type OutputMode
- type PackageInfo
- type ProvenanceBuilder
- type ProvenanceInvocation
- type ProvenanceMaterial
- type ProvenanceMetadata
- type ProvenancePredicate
- type ProvenanceStatement
- type ProvenanceSubject
- type PublishManifest
- type PublishedImage
- type RegistryTarget
- type Stage
- type StepResult
- type VerificationArtifact
- type VersionInfo
Constants ¶
const ( // CrucibleEnvVar is set to "1" inside the pass-2 container to prevent recursion. CrucibleEnvVar = "STAGEFREIGHT_CRUCIBLE" // CrucibleRunIDEnvVar correlates pass-1 and pass-2 in logs/artifacts. CrucibleRunIDEnvVar = "STAGEFREIGHT_CRUCIBLE_RUN_ID" // CrucibleAllowEnvVar overrides the repo guard for non-StageFreight repos. CrucibleAllowEnvVar = "STAGEFREIGHT_ALLOW_CRUCIBLE" // StageFreightModule is the canonical Go module path used by the repo guard. StageFreightModule = "github.com/PrPlanIT/StageFreight" )
Crucible environment variables.
const ( TrustViable = "viable" // pass 2 succeeded TrustConsistent = "consistent" // version + build graph match TrustDeterministic = "deterministic" // binary hash identical TrustReproducible = "reproducible" // image digest identical (stretch goal) )
Trust levels, ordered from weakest to strongest.
const ( LabelCreated = "org.opencontainers.image.created" LabelRevision = "org.opencontainers.image.revision" LabelVersion = "org.opencontainers.image.version" LabelBuildMode = "org.stagefreight.build.mode" LabelPlanHash = "org.stagefreight.plan.sha256" )
Standard OCI label keys emitted by StageFreight on every build.
const PublishManifestPath = ".stagefreight/publish.json"
Variables ¶
var ErrPublishManifestInvalid = errors.New("publish manifest invalid")
var ErrPublishManifestNotFound = errors.New("publish manifest not found")
Functions ¶
func CleanupCrucibleImages ¶
CleanupCrucibleImages removes temporary crucible images. Best-effort; errors are returned but should never downgrade a successful crucible result. Does not use --force to avoid removing images that a user may have manually tagged from the crucible output.
func CosignAttest ¶
CosignAttest attests a predicate against an image digest ref using cosign. The digestRef must be in the form repo@sha256:... — tags are never used.
func CosignAvailable ¶
func CosignAvailable() bool
CosignAvailable returns true if cosign is on PATH.
func CosignSign ¶
CosignSign signs an image digest ref using cosign. The digestRef must be in the form repo@sha256:... — tags are never used.
func CrucibleTag ¶
CrucibleTag returns a namespaced temporary image tag for crucible. Uses stagefreight/crucible-* namespace to prevent accidental pushes.
func DetectProvider ¶
DetectProvider determines the registry vendor from the URL. Well-known domains are matched directly. For unknown domains, returns "generic" (future: probe the registry API to identify the vendor).
func DetectVersion ¶
func DetectVersion(rootDir string) (*gitver.VersionInfo, error)
DetectVersion delegates to the gitver package.
func EnsureCrucibleAllowed ¶
EnsureCrucibleAllowed checks that the repo is the StageFreight repo itself, or that STAGEFREIGHT_ALLOW_CRUCIBLE=1 is set.
func EnvFingerprint ¶
func EnvFingerprint() string
EnvFingerprint returns an informational hash of the build environment. Non-authoritative — useful for debugging but never a primary signal.
func FormatLayerInstruction ¶
func FormatLayerInstruction(e LayerEvent) string
FormatLayerInstruction formats a layer event into a display string. For FROM instructions, shows the base image name. For other instructions, shows the instruction and truncated detail.
func FormatLayerTiming ¶
func FormatLayerTiming(e LayerEvent) string
FormatLayerTiming formats a layer's timing for display. Returns "cached" for cache hits, or the duration string for completed layers.
func GenerateCrucibleRunID ¶
func GenerateCrucibleRunID() string
GenerateCrucibleRunID returns a cryptographically random hex string for correlating crucible passes. Uses crypto/rand to avoid collisions in CI where multiple pipelines may start at the same nanosecond.
func ImageBinaryHash ¶
ImageBinaryHash extracts the sha256 hash of /usr/local/bin/stagefreight from a local docker image.
func ImageDigest ¶
ImageDigest returns the local image ID (config digest) via docker inspect.
func ImageEnvFingerprint ¶
ImageEnvFingerprint returns an informational hash of the execution environment inside a docker image. Non-authoritative.
func ImageLabel ¶
ImageLabel reads a specific OCI label from a local image via docker inspect.
func ImageVersion ¶
ImageVersion extracts the stagefreight version string from a local docker image.
func InjectLabels ¶
InjectLabels merges labels into every step of a plan. Existing labels on a step are preserved; new labels do not overwrite.
func IsCrucibleChild ¶
func IsCrucibleChild() bool
IsCrucibleChild returns true when running inside a crucible pass-2 container.
func IsMultiPlatform ¶
IsMultiPlatform returns true if the step targets more than one platform. Multi-platform builds cannot use --load (buildx limitation).
func NormalizeBuildPlan ¶
NormalizeBuildPlan produces a deterministic fingerprint of a BuildPlan, excluding ephemeral/runtime-derived fields. Used globally for provenance, and by crucible for build graph verification between passes.
Included fields (build-affecting):
- BuildStep.Name, Dockerfile, Context, Target (build identity)
- BuildStep.Platforms (affects output binary)
- BuildStep.BuildArgs (minus BUILD_DATE — ephemeral timestamp)
Excluded fields (ephemeral or derived at runtime):
- BuildStep.Tags (output naming, not build-affecting)
- BuildStep.Registries (output destinations, not build-affecting)
- BuildStep.Output (always "image" for docker)
- BuildStep.Load, Push, SavePath (runtime strategy decisions)
- BuildStep.Labels (metadata, not build-affecting)
- BuildStep.Extract (artifact mode only)
- RegistryTarget.Credentials (auth, not build-affecting)
- RegistryTarget.Provider (inferred, not build-affecting)
- RegistryTarget.Retention, TagPatterns (post-build operations)
- BuildArgs["BUILD_DATE"] (timestamp, always differs between runs)
- Map iteration order (all maps sorted by key)
- Empty/zero-value fields (omitted, not hashed)
- Builder-generated metadata (layer IDs, cache keys, etc.)
func ParseMetadataDigest ¶
ParseMetadataDigest parses the digest from a buildx --metadata-file JSON output.
func Register ¶
Register adds an engine constructor to the global registry. Called from init() in each engine package.
func ResolveCosignKey ¶
func ResolveCosignKey() string
ResolveCosignKey finds the cosign signing key path. Checks COSIGN_KEY env var first, then .stagefreight/cosign.key.
func ResolveDigest ¶
ResolveDigest queries the registry for the manifest digest of a pushed image.
func ResolveLocalDigest ¶
ResolveLocalDigest extracts the pushed digest from a locally loaded image via docker inspect RepoDigests. This is a fallback for when buildx imagetools inspect can't reach the registry. Only returns a digest that matches the requested ref's registry/path to prevent cross-ref confusion.
func ResolveTags ¶
func ResolveTags(templates []string, v *gitver.VersionInfo) []string
ResolveTags delegates to the gitver package.
func ResolveTemplate ¶
func ResolveTemplate(tmpl string, v *gitver.VersionInfo) string
ResolveTemplate delegates to the gitver package.
func SlugifyBuildID ¶ added in v0.3.2
SlugifyBuildID sanitizes a build ID for use as a filename. Lowercase, [a-z0-9-] only, spaces/underscores → hyphens, slashes forbidden.
func StandardLabels ¶
StandardLabels returns the set of OCI labels that should be applied to every image built by StageFreight, regardless of build mode.
func TrustLevelLabel ¶
TrustLevelLabel returns human text for the trust level with context when the level is below deterministic.
func WriteDSSEProvenance ¶
func WriteDSSEProvenance(path string, stmt ProvenanceStatement) error
WriteDSSEProvenance writes a DSSE-wrapped provenance statement as indented JSON.
func WriteProvenance ¶
func WriteProvenance(path string, stmt ProvenanceStatement) error
WriteProvenance writes a provenance statement as indented JSON.
func WritePublishManifest ¶
func WritePublishManifest(dir string, manifest PublishManifest) error
WritePublishManifest writes the publish manifest and its SHA-256 checksum sidecar. Canonicalizes Ref, deduplicates by host/path:tag, sorts deterministically, and sets timestamp if empty.
Types ¶
type AttestationRecord ¶
type AttestationRecord struct {
Type AttestationType `json:"type,omitempty"`
SignatureRef string `json:"signature_ref,omitempty"` // cosign signature digest ref
AttestationRef string `json:"attestation_ref,omitempty"` // DSSE provenance digest ref
SignerIdentity string `json:"signer_identity,omitempty"` // workload identity / key fingerprint
VerifiedDigest string `json:"verified_digest,omitempty"` // digest the signature covers
}
AttestationRecord captures signing and attestation metadata for a published image.
type AttestationType ¶
type AttestationType string
AttestationType identifies the signing/attestation mechanism.
const ( AttestationCosign AttestationType = "cosign" AttestationInToto AttestationType = "in-toto" AttestationSLSA AttestationType = "slsa" )
type BuildInstance ¶
type BuildInstance struct {
Commit string `json:"commit,omitempty"`
PipelineID string `json:"pipeline_id,omitempty"`
JobID string `json:"job_id,omitempty"`
CreatedAt string `json:"created_at,omitempty"`
}
BuildInstance captures CI/build environment metadata for provenance.
type BuildPlan ¶
type BuildPlan struct {
Steps []BuildStep
}
BuildPlan is the resolved execution plan for a build.
type BuildResult ¶
type BuildResult struct {
Steps []StepResult
Duration time.Duration
}
BuildResult captures the outcome of a full build plan execution.
type BuildStep ¶
type BuildStep struct {
Name string
Dockerfile string
Context string
Target string
Platforms []string
BuildArgs map[string]string
Labels map[string]string // OCI labels injected via --label
Tags []string
Output OutputMode
Extract []ExtractRule // artifact mode only
Registries []RegistryTarget // image mode only
Load bool // --load into daemon
Push bool // --push to registries
SavePath string // save image tarball here after build (for security scanning)
MetadataFile string // temp file for buildx --metadata-file (digest capture)
}
BuildStep is a single build invocation.
type Buildx ¶
Buildx wraps docker buildx commands.
func (*Buildx) Build ¶
Build executes a single build step via docker buildx. When ParseLayers is true, buildx runs with --progress=plain and the output is parsed into layer events for structured display.
func (*Buildx) BuildWithLayers ¶
func (bx *Buildx) BuildWithLayers(ctx context.Context, step BuildStep) (*StepResult, []LayerEvent, error)
BuildWithLayers executes a build step and parses the output for layer events. Uses --progress=plain to get parseable output. The original Stdout/Stderr writers receive the raw output; layer events are parsed from the stderr copy.
func (*Buildx) EnsureBuilder ¶
EnsureBuilder checks that a buildx builder is available and creates one if needed.
func (*Buildx) Login ¶
func (bx *Buildx) Login(ctx context.Context, registries []RegistryTarget) error
Login authenticates to registries that have a credentials label configured. The Credentials field on each RegistryTarget is a user-chosen env var prefix:
credentials: DOCKERHUB_PRPLANIT → DOCKERHUB_PRPLANIT_USER / DOCKERHUB_PRPLANIT_PASS credentials: GHCR_ORG → GHCR_ORG_USER / GHCR_ORG_PASS
No credentials field → no login attempted (public or pre-authenticated). If credentials are configured but the env vars are missing, Login returns an error.
type CrucibleCheck ¶
type CrucibleCheck struct {
Name string // e.g. "binary hash", "version", "image digest"
Status string // "match", "differs", "unavailable"
Detail string // e.g. "sha256:abc123..."
}
CrucibleCheck is a single verification data point.
func (CrucibleCheck) IsHardFailure ¶
func (c CrucibleCheck) IsHardFailure() bool
IsHardFailure returns true if this check's failure should fail the crucible.
type CrucibleOpts ¶
type CrucibleOpts struct {
Image string // pass-1 candidate image ref
FinalTag string // tag for the verification artifact
RepoDir string // absolute path to repo root (mounted into container)
ExtraFlags []string // original user flags minus --build-mode
EnvVars []string // credential and CI env vars to forward (KEY=VALUE)
RunID string // correlates passes in logs
Verbose bool
}
CrucibleOpts configures the pass-2 container invocation.
type CrucibleResult ¶
CrucibleResult captures the outcome of a pass-2 invocation.
func RunCrucible ¶
func RunCrucible(ctx context.Context, opts CrucibleOpts) (*CrucibleResult, error)
RunCrucible executes pass 2 inside the pass-1 candidate image. It streams stdout/stderr directly — pass-2 output is the canonical build log.
type CrucibleVerification ¶
type CrucibleVerification struct {
ArtifactChecks []CrucibleCheck
ExecutionChecks []CrucibleCheck
TrustLevel string
}
CrucibleVerification holds the complete verification result.
func VerifyCrucible ¶
func VerifyCrucible(ctx context.Context, pass1Image, pass2Image string) (*CrucibleVerification, error)
VerifyCrucible compares pass-1 and pass-2 images to determine trust level. Uses promoted identity helpers from identity.go for all inspections.
func (*CrucibleVerification) HasHardFailure ¶
func (cv *CrucibleVerification) HasHardFailure() bool
HasHardFailure returns true if any check is a hard failure.
type DSSEEnvelope ¶
type DSSEEnvelope struct {
PayloadType string `json:"payloadType"`
Payload string `json:"payload"` // base64-encoded ProvenanceStatement
Signatures []DSSESignature `json:"signatures"`
}
DSSEEnvelope is a Dead Simple Signing Envelope for wrapping provenance statements.
func WrapDSSE ¶
func WrapDSSE(stmt ProvenanceStatement) (DSSEEnvelope, error)
WrapDSSE wraps a ProvenanceStatement in a DSSE envelope (unsigned). The caller can sign the payload externally (cosign) and attach the signature.
type DSSESignature ¶
DSSESignature is a single signature within a DSSE envelope.
type Detection ¶
type Detection struct {
RootDir string // absolute path to repo root
Dockerfiles []DockerfileInfo
Language string // "go", "rust", "node", "python", ""
Lockfiles []string // relative paths: go.mod, Cargo.toml, etc.
GitInfo *GitInfo
}
Detection holds everything discovered about a repo's build capabilities.
func DetectRepo ¶
DetectRepo inspects a directory and returns build-relevant information.
type DockerfileInfo ¶
type DockerfileInfo struct {
Path string // relative path from repo root
Stages []Stage // parsed multistage stages
Args []string
Expose []string
Healthcheck *string
}
DockerfileInfo describes a discovered Dockerfile.
func ParseDockerfile ¶
func ParseDockerfile(path string) (*DockerfileInfo, error)
ParseDockerfile extracts stage, arg, expose, and healthcheck info from a Dockerfile. This is a regex-based parser — not a full AST. Sufficient for detection and planning.
type Engine ¶
type Engine interface {
Name() string
Detect(ctx context.Context, rootDir string) (*Detection, error)
Plan(ctx context.Context, cfg interface{}, det *Detection) (*BuildPlan, error)
Execute(ctx context.Context, plan *BuildPlan) (*BuildResult, error)
}
Engine is the interface every build engine implements.
type ExtractRule ¶
type ExtractRule struct {
From string // path inside the container
To string // local destination path
}
ExtractRule defines a file to extract from a build container.
type GitInfo ¶
type GitInfo struct {
Remote string // origin URL
Branch string // current branch
LatestTag string
SHA string
}
GitInfo holds git repository metadata.
type InventoryResult ¶ added in v0.3.2
type InventoryResult struct {
BaseImages []PackageInfo // normalized primary base image versions from FROM refs
Lineage []PackageInfo // inferred distro lineage from tag suffixes
Packages []PackageInfo // all discovered packages
Args []ArgDecl // ARG declarations with defaults
}
InventoryResult holds all extracted packages grouped by manager.
func ExtractInventory ¶ added in v0.3.2
func ExtractInventory(dockerfilePath string) (*InventoryResult, error)
ExtractInventory parses a Dockerfile and extracts package inventory. This is the main entry point for inventory extraction.
type LayerEvent ¶
type LayerEvent struct {
Stage string // "builder", "stage-1", "" (for internal steps)
StageStep string // "1/7", "2/7", etc.
Instruction string // "FROM", "COPY", "RUN", "WORKDIR", "ENV", "ARG", "EXPOSE", "ADD"
Detail string // instruction arguments (truncated)
Cached bool // true if layer was a cache hit
Duration time.Duration // layer execution time (0 for cached layers)
Image string // for FROM: the base image name (without digest)
}
LayerEvent represents a completed build layer parsed from buildx output.
func ParseBuildxOutput ¶
func ParseBuildxOutput(output string) []LayerEvent
ParseBuildxOutput parses captured buildx --progress=plain output into layer events. Only meaningful build layers are returned (FROM, COPY, RUN, etc.). Internal steps (load build definition, load .dockerignore, metadata) are filtered out.
type OutputMode ¶
type OutputMode string
OutputMode describes what the build produces.
const ( OutputImage OutputMode = "image" // container image (push to registry or load to daemon) OutputLocal OutputMode = "local" // extract files to local filesystem OutputTar OutputMode = "tar" // export as tarball )
type PackageInfo ¶ added in v0.3.2
type PackageInfo struct {
Name string // package name
Version string // version if known, empty otherwise
Pinned bool // true if version is explicitly pinned
Source string // broad category: "dockerfile", "dockerfile_arg", "base_image"
SourceRef string // narrow origin: the actual instruction or ARG declaration
Manager string // package manager name: "apk", "pip", "npm", "go", "galaxy", "binary", "base", "apt"
Confidence string // "inferred" for heuristic-derived items, empty for authoritative
URL string // download URL for binary installs
Stage string // stage name from "AS <name>", empty for unnamed stages
Final bool // true if this is from the last FROM stage (the shipped image)
}
PackageInfo represents a discovered package/dependency from Dockerfile analysis. This is the build package's internal model — manifest generation converts these to schema types. Keeps the build package reusable without circular coupling.
type ProvenanceBuilder ¶
type ProvenanceBuilder struct {
ID string `json:"id"`
}
ProvenanceBuilder identifies the build system.
type ProvenanceInvocation ¶
type ProvenanceInvocation struct {
ConfigSource map[string]any `json:"configSource,omitempty"`
Parameters map[string]any `json:"parameters,omitempty"`
Environment map[string]any `json:"environment,omitempty"`
}
ProvenanceInvocation captures the build parameters and environment.
type ProvenanceMaterial ¶
type ProvenanceMaterial struct {
URI string `json:"uri"`
Digest map[string]string `json:"digest,omitempty"`
}
ProvenanceMaterial represents an input to the build.
type ProvenanceMetadata ¶
type ProvenanceMetadata struct {
BuildStartedOn string `json:"buildStartedOn,omitempty"`
BuildFinishedOn string `json:"buildFinishedOn,omitempty"`
Completeness map[string]bool `json:"completeness,omitempty"`
Reproducible bool `json:"reproducible"`
}
ProvenanceMetadata captures timing and completeness.
type ProvenancePredicate ¶
type ProvenancePredicate struct {
BuildType string `json:"buildType"`
Builder ProvenanceBuilder `json:"builder"`
Invocation ProvenanceInvocation `json:"invocation"`
Metadata ProvenanceMetadata `json:"metadata"`
Materials []ProvenanceMaterial `json:"materials,omitempty"`
StageFreight map[string]any `json:"stagefreight,omitempty"`
}
ProvenancePredicate describes how it was built.
type ProvenanceStatement ¶
type ProvenanceStatement struct {
Type string `json:"_type"`
PredicateType string `json:"predicateType"`
Subject []ProvenanceSubject `json:"subject"`
Predicate ProvenancePredicate `json:"predicate"`
}
ProvenanceStatement follows the in-toto Statement v1 / SLSA Provenance v1 structure. Not full SLSA compliance, but a useful provenance document that can evolve into DSSE envelopes, cosign attestations, or OCI referrer artifacts.
type ProvenanceSubject ¶
type ProvenanceSubject struct {
Name string `json:"name"`
Digest map[string]string `json:"digest,omitempty"`
}
ProvenanceSubject identifies what was built.
type PublishManifest ¶
type PublishManifest struct {
Published []PublishedImage `json:"published"`
Timestamp string `json:"timestamp"` // RFC3339
}
PublishManifest records all images successfully pushed during a build.
func ReadPublishManifest ¶
func ReadPublishManifest(dir string) (*PublishManifest, error)
ReadPublishManifest reads and validates the publish manifest and its checksum.
type PublishedImage ¶
type PublishedImage struct {
Host string `json:"host"` // normalized registry host
Path string `json:"path"` // image path
Tag string `json:"tag"` // resolved tag
Provider string `json:"provider"` // canonical provider name
Ref string `json:"ref"` // full image ref (host/path:tag)
Digest string `json:"digest,omitempty"` // image digest (immutable truth)
CredentialRef string `json:"credential_ref,omitempty"` // non-secret env var prefix for OCI auth resolution
BuildInstance BuildInstance `json:"build_instance,omitempty"` // CI/build metadata
Registry string `json:"registry,omitempty"` // registry hostname
ObservedDigest string `json:"observed_digest,omitempty"` // what the registry returned post-push
ObservedDigestAlt string `json:"observed_digest_alt,omitempty"` // second observation via registry API
ObservedBy string `json:"observed_by,omitempty"` // primary observation method (e.g., "buildx")
ObservedByAlt string `json:"observed_by_alt,omitempty"` // alternate observation method (e.g., "registry_api")
ExpectedTags []string `json:"expected_tags,omitempty"` // all tags this digest was published under
ExpectedCommit string `json:"expected_commit,omitempty"` // commit this digest was built from
Attestation *AttestationRecord `json:"attestation,omitempty"` // signing/attestation record (nil = absent)
SigningAttempted bool `json:"signing_attempted,omitempty"` // true if signing was attempted but failed
}
PublishedImage records a single image that was successfully pushed.
type RegistryTarget ¶
type RegistryTarget struct {
URL string
Path string
Tags []string
Credentials string // env var prefix for auth (e.g., "DOCKERHUB" → DOCKERHUB_USER/DOCKERHUB_PASS)
Provider string // registry vendor: dockerhub, ghcr, gitlab, jfrog, harbor, quay, gitea, generic
Retention config.RetentionPolicy // restic-style retention policy
TagPatterns []string // original unresolved tag templates for pattern matching during retention
}
RegistryTarget is a resolved registry push destination.
type Stage ¶
type Stage struct {
Name string // alias from "AS name", empty if unnamed
BaseImage string // the FROM image reference
Line int // line number of the FROM instruction
}
Stage describes a single FROM stage in a Dockerfile.
type StepResult ¶
type StepResult struct {
Name string
Status string // "success", "failed", "cached"
Images []string // pushed image references
Artifacts []string // extracted file paths
Layers []LayerEvent // parsed build layer events (from --progress=plain)
Duration time.Duration
Error error
}
StepResult captures the outcome of a single build step.
type VerificationArtifact ¶
type VerificationArtifact struct {
Tag string // e.g. "stagefreight/crucible-verify:<run-id>"
}
VerificationArtifact encapsulates the extra --tag + --local added to pass 2 for post-build verification. Centralizes the concept so it isn't ad-hoc flag munging scattered across call sites.
func (VerificationArtifact) AppendFlags ¶
func (va VerificationArtifact) AppendFlags() []string
AppendFlags returns the flags needed to produce the verification artifact.
type VersionInfo ¶
type VersionInfo = gitver.VersionInfo
VersionInfo is an alias for backward compatibility.
Source Files
Directories