Documentation
¶
Index ¶
- func AssertNormalized(cfg *Config) error
- func DeepMerge(base, override map[string]any) map[string]any
- func ForgeLinkBase(provider, baseURL, projectID, branch string) (string, error)
- func ForgeRawBase(provider, baseURL, projectID, branch string) (string, error)
- func LoadWithReport(path string) (*Config, ConfigReport, error)
- func MatchCondition(c Condition) bool
- func MatchConditionWith(c Condition, tag, branch string) bool
- func MatchPatterns(patterns []string, value string) bool
- func MatchPatternsWithPolicy(patterns []string, value string, policyMap map[string]string) bool
- func MigrateToLatest(data []byte) ([]byte, error)
- func Normalize(cfg *Config) error
- func ParseDuration(s string) (time.Duration, error)
- func ParseForgeURL(rawURL string) (provider, baseURL, projectID string, err error)
- func ParseSize(s string) (int64, error)
- func PrimaryDefaultBranch(cfg *Config) string
- func PrimaryURL(cfg *Config) string
- func PrimaryWorktree(cfg *Config) string
- func ResolveLinkBase(cfg *Config) (string, error)
- func ResolvePatterns(patterns []string, patternMap map[string]string) []string
- func ResolvePublishOrigin(cfg *Config) (string, error)
- func Validate(cfg *Config) (warnings []string, err error)
- func ValidateIdentityGraph(forges []ForgeConfig, repos []RepoConfig, registries []RegistryConfig) []string
- func ValidatePreset(content []byte) (string, map[string]any, error)
- func ValidateTargetRegistryRefs(targets []TargetConfig, registries []RegistryConfig) []string
- type AgePruneRule
- type BadgeConfig
- type BadgeSpec
- type BadgesConfig
- type BranchBuildConfig
- type BranchesConfig
- type BreakingConfig
- type BuildCacheConfig
- type BuildCachePrunePolicy
- type BuildConfig
- type BuilderConfig
- type CIConfig
- type CacheConfig
- type ClusterConfig
- type CommitConfig
- type CommitPresentation
- type CommitType
- type CompiledPatterns
- type Condition
- type Config
- type ConfigReport
- type ContainerPrunePolicy
- type CrucibleConfig
- type DependencyCIConfig
- type DependencyCommitConfig
- type DependencyCommitPromotion
- type DependencyConfig
- type DependencyHandoff
- type DependencyMRConfig
- type DependencyScopeConfig
- type DetailRule
- type DockerDriftPolicy
- type DockerIaCConfig
- type DockerLifecycleConfig
- type DockerSecretsConfig
- type DockerTargetSelector
- type DockerTargetsConfig
- type DocsCommitConfig
- type DocsConfig
- type DocsGeneratorsConfig
- type ExposureRule
- type ExposureRules
- type ExternalCacheConfig
- type ExternalRetention
- type FilterConfig
- type ForgeConfig
- type GitOpsConfig
- type GlossaryConfig
- type GlossaryType
- type GovernanceCluster
- type GovernanceClusterGroup
- type GovernanceClusterTargets
- type GovernanceConfig
- type HostCleanupConfig
- type ImageProtection
- type ImagePrunePolicy
- type Level
- type LifecycleConfig
- type LintCacheConfig
- type LintConfig
- type LocalCacheConfig
- type LocalRetention
- type ManifestConfig
- type MatchersConfig
- type MergeEntry
- type MergeTrace
- type ModuleConfig
- type NarratorFile
- type NarratorItem
- type NarratorPlacement
- type NetworkPrunePolicy
- type NoLineageConfig
- type OIDCConfig
- type PhraseRewrite
- type PresentationConfig
- type PresetLoader
- type ProtectionPolicy
- type PrunePolicy
- type RegexRewrite
- type RegistryConfig
- type ReleaseConfig
- type ReleasePresentation
- type RenderConfig
- type RepoConfig
- type ResolvedRegistry
- type ResolvedRepo
- func ResolveAllMirrors(repos []RepoConfig, forges []ForgeConfig, vars map[string]string) ([]*ResolvedRepo, error)
- func ResolvePrimary(repos []RepoConfig, forges []ForgeConfig, vars map[string]string) (*ResolvedRepo, error)
- func ResolveRepo(repo RepoConfig, forges []ForgeConfig, vars map[string]string) (*ResolvedRepo, error)
- type RetentionPolicy
- type RewriteConfig
- type RoutingConfig
- type RoutingSpec
- type RunFromConfig
- type RunFromResult
- type ScannerCacheConfig
- type ScannersConfig
- type SectionState
- type SecurityCacheConfig
- type SecurityConfig
- type SummaryFilter
- type SyncConfig
- type TagConfig
- type TagDefaults
- type TagMessage
- type TagPresentation
- type TagSourceConfig
- type TargetCondition
- type TargetConfig
- type ToolPinConfig
- type ToolchainConfig
- type TrailerFilter
- type VersioningConfig
- type VolumeProtection
- type WatchRule
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AssertNormalized ¶ added in v0.5.0
AssertNormalized verifies no unresolved {var:} templates remain in the config. Hard failure — not a warning. If this fires, normalization has a bug.
func DeepMerge ¶ added in v0.6.0
DeepMerge merges two maps. Override (second arg) wins on conflict. Objects: deep merge. Scalars: override replaces. Lists: override replaces.
func ForgeLinkBase ¶ added in v0.5.0
ForgeLinkBase constructs a page-link (blob) base URL from forge fields. Used for resolving relative links (e.g., LICENSE → blob URL).
func ForgeRawBase ¶ added in v0.5.0
ForgeRawBase constructs a raw content base URL from forge mirror fields. Handles GitLab subgroup paths (group/subgroup/project) correctly. All inputs are normalized to prevent double-slash artifacts.
func LoadWithReport ¶ added in v0.6.0
func LoadWithReport(path string) (*Config, ConfigReport, error)
LoadWithReport loads config and returns a ConfigReport with real provenance. Calls LoadWithWarnings for config resolution, then ResolvePresets for section provenance.
func MatchCondition ¶
MatchCondition evaluates a Condition against the current CI environment. Returns true if all present fields match (AND logic). Empty condition = catch-all (always true).
func MatchConditionWith ¶
MatchConditionWith evaluates a Condition against explicit tag/branch values. Use this when you already have the values resolved (e.g., from git detection).
func MatchPatterns ¶
MatchPatterns evaluates a list of patterns against a value (OR logic). Any pattern matching means the value is allowed. Empty list = always allowed (no filter). Supports ! negation — a negated pattern excludes even if others include.
Evaluation: exclude patterns (!) are checked first. If any exclude matches, the value is rejected. Then include patterns are checked — if any matches, the value is allowed. If only exclude patterns exist and none matched, the value is allowed (exclude-only = allowlist by negation).
func MatchPatternsWithPolicy ¶
MatchPatternsWithPolicy resolves named patterns and evaluates them against a value. Convenience wrapper combining ResolvePatterns + MatchPatterns. (Name retained for backward compat with existing call sites.)
func MigrateToLatest ¶
MigrateToLatest takes raw YAML data and migrates it to the current schema version. Returns the migrated YAML bytes ready for writing.
Migration chain:
version 1 → current (no-op, already latest)
Future schema changes should add migration steps here (e.g., v1→v2). The old pre-version config was an unversioned alpha that never earned a schema number — it is not convertible and is not supported by this migration path.
func Normalize ¶ added in v0.5.0
Normalize resolves all {var:...} templates throughout the entire config. Walks every string in the config graph recursively — structs, maps, slices, interfaces. No field enumeration. No partial coverage.
Called once after load+validate, before any consumer reads the config.
func ParseDuration ¶ added in v0.5.0
ParseDuration parses a human duration like "7d", "72h", "30m". Extends time.ParseDuration with "d" (days) support.
func ParseForgeURL ¶ added in v0.5.0
ParseForgeURL detects forge provider from a full repository URL, extracts base URL and project ID. Examples:
"https://github.com/PrPlanIT/StageFreight" → github, "https://github.com", "PrPlanIT/StageFreight" "https://gitlab.prplanit.com/SoFMeRight/dungeon" → gitlab, "https://gitlab.prplanit.com", "SoFMeRight/dungeon"
func ParseSize ¶ added in v0.5.0
ParseSize parses a human size like "15GB", "500MB", "100KB". Uses binary units (1 GB = 1024³ bytes).
func PrimaryDefaultBranch ¶ added in v0.6.0
PrimaryDefaultBranch returns the default branch of the primary repo.
func PrimaryURL ¶ added in v0.6.0
PrimaryURL returns the full URL of the primary repo, or empty string. Thin wrapper over ResolvePrimary for call sites that only need the URL.
func PrimaryWorktree ¶ added in v0.6.0
PrimaryWorktree returns the worktree path of the primary repo, or ".".
func ResolveLinkBase ¶ added in v0.5.0
ResolveLinkBase resolves the page-link (blob) base URL for relative links. Uses the repo with publish-origin role, falling back to primary.
func ResolvePatterns ¶
ResolvePatterns resolves named tokens in a pattern list to their regex values from the provided name→regex map (e.g. matchers.branches or a flattened tag_sources map). Direct regex patterns pass through unchanged. Negation prefix (!) is preserved.
func ResolvePublishOrigin ¶ added in v0.5.0
ResolvePublishOrigin resolves the serving base URL for rendered artifacts. Uses the repo with publish-origin role, falling back to primary.
func Validate ¶
Validate checks structural invariants of a loaded v2 Config. Returns warnings (soft issues) and a hard error if the config is invalid.
func ValidateIdentityGraph ¶ added in v0.6.0
func ValidateIdentityGraph(forges []ForgeConfig, repos []RepoConfig, registries []RegistryConfig) []string
ValidateIdentityGraph checks structural invariants of forges, repos, and registries. Returns all errors found (not just the first).
func ValidatePreset ¶ added in v0.6.0
ValidatePreset checks that a preset file declares exactly one top-level key.
func ValidateTargetRegistryRefs ¶ added in v0.6.0
func ValidateTargetRegistryRefs(targets []TargetConfig, registries []RegistryConfig) []string
ValidateTargetRegistryRefs checks that targets with registry: reference existing registries, and that registry + inline fields don't conflict.
Types ¶
type AgePruneRule ¶ added in v0.5.0
type AgePruneRule struct {
OlderThan string `yaml:"older_than,omitempty"` // e.g. "72h"
}
AgePruneRule is a simple age-based prune rule.
type BadgeConfig ¶ added in v0.5.0
type BadgeConfig struct {
ID string `yaml:"id"` // stable user-defined ID for narrator reference
Text string `yaml:"text"` // left side label
Value string `yaml:"value"` // right side value (templates: {env:*}, {sha}, {base}, etc.)
Color string `yaml:"color"` // hex color or "auto"
Output string `yaml:"output"` // SVG output path (required)
Link string `yaml:"link,omitempty"` // clickable URL
Font string `yaml:"font,omitempty"` // font name override
FontSize int `yaml:"font_size,omitempty"` // font size override
}
BadgeConfig is the user-facing badge definition in .stagefreight.yml. Badge system owns this — narrator references badges by ID via badge_ref.
func (BadgeConfig) ToBadgeSpec ¶ added in v0.5.0
func (b BadgeConfig) ToBadgeSpec() BadgeSpec
ToBadgeSpec converts config to the internal badge engine model.
type BadgeSpec ¶
type BadgeSpec struct {
Label string // left side text (badge name / alt text)
Value string // right side text (supports templates)
Color string // hex color or "auto"
Output string // SVG file output path
Font string // built-in font name override
FontSize float64 // font size override
FontFile string // custom font file override
}
BadgeSpec is the reusable internal badge specification. Consumed by badge engine, CLI ad-hoc mode, release badge, and docker build badge. No YAML tags — this is an internal model, not a config surface.
type BadgesConfig ¶ added in v0.5.0
type BadgesConfig struct {
Preset string `yaml:"preset,omitempty"`
Items []BadgeConfig `yaml:"items"`
}
BadgesConfig is the top-level badges configuration. Badge system owns definitions; narrator references them via badge_ref. Artifact serving URL derived from publish-origin repo role.
type BranchBuildConfig ¶ added in v0.6.0
type BranchBuildConfig struct {
// ID is the unique identifier. "default" is the catch-all entry and must
// appear last in the BranchBuilds slice.
ID string `yaml:"id"`
// Match references a declared branch matcher name. Required for named
// branch_builds entries. The "default" entry rejects Match — it catches
// any branch that did not match a named entry.
Match string `yaml:"match,omitempty"`
// BaseFrom is the ordered fallback chain of tag_sources ids. The runtime
// walks this list in order; for each source id, it scans tags for a match
// and returns the first hit. Fallback advances only when a source yields
// zero matches.
//
// Reads as "look in prerelease first; if nothing, look in stable":
// base_from: [prerelease, stable]
//
// It does NOT mean "prerelease beats stable by priority" — ordering is a
// declared search path, not a ranking.
BaseFrom []string `yaml:"base_from"`
// Format is the version template for non-release commits.
// Supported placeholders: {base}, {sha}, {branch}
// e.g., "{base}-dev+{sha}"
Format string `yaml:"format"`
}
BranchBuildConfig defines how dev versions are formatted for a branch.
type BranchesConfig ¶ added in v0.6.0
type BranchesConfig struct {
// Default is the default branch name (e.g., "main"). Required for primary.
Default string `yaml:"default,omitempty"`
}
BranchesConfig declares branch identity for a repo. Currently carries only Default; reserved for future additions like protected branches, release branches, etc. — those stay on the repo because they're topology, not versioning or promotion.
type BreakingConfig ¶ added in v0.5.0
type BreakingConfig struct {
Aliases []string `yaml:"aliases,omitempty"` // e.g., [b, break, bc]
BangSuffix bool `yaml:"bang_suffix"` // feat! syntax
ForceHighlight bool `yaml:"force_highlight"`
PriorityBoost int `yaml:"priority_boost"`
}
BreakingConfig defines how breaking changes are detected and presented.
type BuildCacheConfig ¶ added in v0.5.0
type BuildCacheConfig struct {
Preset string `yaml:"preset,omitempty"`
// Mode selects which cache planes are active.
// "": inactive — no cache flags emitted, no cleanup runs.
// off: explicitly disabled.
// local: bounded local buildkit cache only.
// shared: registry-backed external cache only.
// hybrid: both local and external.
Mode string `yaml:"mode,omitempty"`
// Builder configures the buildx builder lifecycle.
// The engine owns creation, bootstrap, and narration — skeleton is transport only.
Builder BuilderConfig `yaml:"builder,omitempty"`
// Local configures the bounded local buildkit cache.
Local LocalCacheConfig `yaml:"local,omitempty"`
// External configures registry-backed shared cache.
External ExternalCacheConfig `yaml:"external,omitempty"`
// Cleanup configures host hygiene — residue pruning, not cache.
// Only executes when Mode is active (not empty, not off).
Cleanup HostCleanupConfig `yaml:"cleanup,omitempty"`
}
BuildCacheConfig defines the three-layer build cache subsystem. Mode selects the active planes. Advanced config underneath only when needed.
func DefaultBuildCacheConfig ¶ added in v0.5.0
func DefaultBuildCacheConfig() BuildCacheConfig
DefaultBuildCacheConfig returns baseline defaults. Mode is empty (inactive) — cleanup and cache only execute when mode is explicitly set. Governance presets should override enforcement and thresholds per runner class.
func (BuildCacheConfig) IsActive ¶ added in v0.5.0
func (c BuildCacheConfig) IsActive() bool
IsActive returns true if any cache mode is enabled.
type BuildCachePrunePolicy ¶ added in v0.5.0
type BuildCachePrunePolicy struct {
OlderThan string `yaml:"older_than,omitempty"` // e.g. "72h"
KeepStorage string `yaml:"keep_storage,omitempty"` // e.g. "20GB"
}
BuildCachePrunePolicy defines build cache pruning rules.
type BuildConfig ¶
type BuildConfig struct {
// ID is the unique identifier for this build, referenced by targets.
ID string `yaml:"id"`
// Kind is the build type. Determines which fields are valid.
// Supported: "docker", "binary".
Kind string `yaml:"kind"`
// SelectTags enables CLI filtering via --select.
SelectTags []string `yaml:"select_tags,omitempty"`
// Required means build failure is a hard pipeline fail. Default: true.
Required *bool `yaml:"required,omitempty"`
// BuildMode controls the build execution strategy.
// Supported: "" (standard), "crucible" (self-proving rebuild).
BuildMode string `yaml:"build_mode,omitempty"`
// DependsOn references another build ID that must complete before this one.
// Enables build ordering: binary builds before docker builds that consume them.
DependsOn string `yaml:"depends_on,omitempty"`
// Dockerfile is the path to the Dockerfile. Default: auto-detect.
Dockerfile string `yaml:"dockerfile,omitempty"`
// Context is the Docker build context path. Default: "." (repo root).
Context string `yaml:"context,omitempty"`
// Target is the --target stage name for multi-stage builds.
Target string `yaml:"target,omitempty"`
// Platforms lists the target platforms. Default: [linux/{current_arch}].
Platforms []string `yaml:"platforms,omitempty"`
// BuildArgs are key-value pairs passed as --build-arg. Supports templates.
BuildArgs map[string]string `yaml:"build_args,omitempty"`
// Cache holds build cache settings.
Cache CacheConfig `yaml:"cache,omitempty"`
// Builder is the toolchain that interprets the build.
// Supported: "go". Future: "rust", "zig", "cargo".
Builder string `yaml:"builder,omitempty"`
// Command is the builder subcommand. e.g., "build" for "go build".
// Default: "build".
Command string `yaml:"command,omitempty"`
// From is the source/input root or entry point.
// e.g., "./src/cli" (Go package), "./src/main.rs" (Rust).
From string `yaml:"from,omitempty"`
// Output is the artifact name. Windows platforms auto-append ".exe".
// Default: basename of From.
Output string `yaml:"output,omitempty"`
// Args are ordered raw arguments passed directly to the selected builder.
// For Go: raw args to "go build". For Rust: raw args to "cargo build".
// Supports template variables: {version}, {sha}, {sha:N}, {date}.
Args []string `yaml:"args,omitempty"`
// Env are build environment variables. e.g., {"CGO_ENABLED": "0"}
Env map[string]string `yaml:"env,omitempty"`
// Compress enables UPX compression on the output binary. Default: false.
Compress bool `yaml:"compress,omitempty"`
// Crucible holds crucible-specific configuration for binary builds.
Crucible *CrucibleConfig `yaml:"crucible,omitempty"`
}
BuildConfig defines a named build artifact. Each build has a unique ID (referenced by targets) and a kind that determines which fields are valid.
This is a discriminated union keyed by Kind — only fields relevant to the kind should be set. Validated at load time by v2 validation.
func (BuildConfig) BuilderCommand ¶ added in v0.4.0
func (b BuildConfig) BuilderCommand() string
BuilderCommand returns the builder command, defaulting to "build".
func (BuildConfig) IsRequired ¶ added in v0.5.0
func (b BuildConfig) IsRequired() bool
IsRequired returns whether build failure is a hard pipeline fail. Default: true.
func (BuildConfig) OutputName ¶ added in v0.4.0
func (b BuildConfig) OutputName() string
OutputName returns the output artifact name, defaulting to basename of From.
type BuilderConfig ¶ added in v0.5.0
type BuilderConfig struct {
// Backend pins the build backend. Default: "" (auto-detect).
// "buildkitd" → prefer persistent buildkitd, fail if unavailable.
// "dind" → use DinD only, ignore buildkitd even if available.
// "" → auto-detect: prefer buildkitd if available, fall back to DinD.
Backend string `yaml:"backend,omitempty"`
// Name is the buildx builder name. Default: "sf-builder".
Name string `yaml:"name,omitempty"`
// Driver is the buildx driver. Default: "docker-container".
Driver string `yaml:"driver,omitempty"`
// Context is the Docker context name for the builder endpoint. Default: "sf-context".
Context string `yaml:"context,omitempty"`
}
BuilderConfig declares the buildx builder identity. The engine creates/bootstraps/narrates — this is just the declaration.
func (BuilderConfig) BuilderDriver ¶ added in v0.5.0
func (b BuilderConfig) BuilderDriver() string
BuilderDriver returns the driver, defaulting to "docker-container".
func (BuilderConfig) BuilderName ¶ added in v0.5.0
func (b BuilderConfig) BuilderName() string
BuilderName returns the builder name, defaulting to "sf-builder".
func (BuilderConfig) ContextName ¶ added in v0.5.0
func (b BuilderConfig) ContextName() string
ContextName returns the Docker context name, defaulting to "sf-context".
type CIConfig ¶ added in v0.6.0
type CIConfig struct {
// Image is the container image for all pipeline jobs.
// Required — render refuses to emit without it.
Image string `yaml:"image"`
// Routing declares per-phase runner placement requirements.
// The renderer lowers labels to forge-native primitives
// (GitLab: tags, GitHub/Gitea/Forgejo: runs-on).
Routing RoutingConfig `yaml:"routing,omitempty"`
}
CIConfig holds all pipeline-related configuration consumed by stagefreight ci render. One block, one concern.
type CacheConfig ¶
CacheConfig holds build cache settings.
type ClusterConfig ¶ added in v0.5.0
type ClusterConfig struct {
Name string `yaml:"name"`
Server string `yaml:"server"`
Exposure ExposureRules `yaml:"exposure"`
}
ClusterConfig identifies a Kubernetes cluster and how to connect to it. CA trust is resolved from environment variables at runtime:
- <NAME>_CA_FILE: path to CA certificate file
- <NAME>_CA_B64: base64-encoded CA certificate PEM
Name is uppercased with hyphens replaced by underscores for the env prefix.
type CommitConfig ¶
type CommitConfig struct {
Preset string `yaml:"preset,omitempty"`
DefaultType string `yaml:"default_type,omitempty"`
DefaultScope string `yaml:"default_scope,omitempty"`
SkipCI bool `yaml:"skip_ci,omitempty"`
Push bool `yaml:"push,omitempty"`
Conventional bool `yaml:"conventional"`
Backend string `yaml:"backend,omitempty"`
Types []CommitType `yaml:"types,omitempty"`
}
CommitConfig holds configuration for the commit subsystem.
func DefaultCommitConfig ¶
func DefaultCommitConfig() CommitConfig
DefaultCommitConfig returns sensible defaults for commit configuration.
type CommitPresentation ¶ added in v0.5.0
type CommitPresentation struct {
PreserveRawSubject bool `yaml:"preserve_raw_subject"`
EnforceConventional bool `yaml:"enforce_conventional"`
}
CommitPresentation controls commit authoring behavior. Authoring-oriented: alias expansion and validation, NOT release-style uplift.
type CommitType ¶
type CommitType struct {
Key string `yaml:"key"`
Label string `yaml:"label"`
AliasFor string `yaml:"alias_for,omitempty"`
ForceBang bool `yaml:"force_bang,omitempty"`
}
CommitType defines a recognized commit type for conventional commits.
type CompiledPatterns ¶
CompiledPatterns holds pre-compiled include and exclude regex patterns. Avoids repeated regex compilation during planning and matching.
func CompilePatterns ¶
func CompilePatterns(patterns []string, policyMap map[string]string) (*CompiledPatterns, error)
CompilePatterns resolves pattern tokens against a policy map and compiles them into include/exclude regex groups. Discards warnings.
func CompilePatternsWithWarnings ¶
func CompilePatternsWithWarnings(patterns []string, policyMap map[string]string) (*CompiledPatterns, []string, error)
CompilePatternsWithWarnings resolves pattern tokens against a policy map, compiles them into include/exclude regex groups, and returns any warnings (e.g., typo detection for unknown policy names).
func (*CompiledPatterns) Match ¶
func (cp *CompiledPatterns) Match(value string) bool
Match evaluates the compiled patterns against a value. Exclude-first semantics: if any exclude matches, rejected. Empty include list with no excludes = pass (no constraints). Empty include list with only excludes = everything not excluded passes.
type Condition ¶
type Condition struct {
// Tag is a pattern matched against the git tag (CI_COMMIT_TAG).
// Only evaluated when a tag is present. Prefix with ! to negate.
Tag string `yaml:"tag,omitempty"`
// Branch is a pattern matched against the git branch (CI_COMMIT_BRANCH).
// Prefix with ! to negate.
Branch string `yaml:"branch,omitempty"`
}
Condition is the universal conditional rule primitive used across StageFreight. Every feature that has tag/branch-sensitive behavior uses this same structure.
Pattern syntax (applies to Tag, Branch, and any future filter fields):
"^main$" — regex match (default) "!^feature/.*" — negated regex (! prefix) "main" — literal match (no regex metacharacters) "!develop" — negated literal
Matching logic:
- Tag: tested against CI_COMMIT_TAG / git tag. Only evaluated when a tag is present.
- Branch: tested against CI_COMMIT_BRANCH / git branch.
- Multiple fields set: AND — all present fields must match.
- No fields set: catch-all (always matches).
Rules are always evaluated top-down, first match wins. CLI overrides take precedence.
type Config ¶
type Config struct {
// Version must be 1. The pre-version config was an unversioned alpha
// that never earned a schema number — this is the first stable schema.
Version int `yaml:"version"`
// Vars is a user-defined template variable dictionary.
// Referenced as {var:name} anywhere templates are resolved.
Vars map[string]string `yaml:"vars,omitempty"`
// Defaults is inert YAML anchor storage. StageFreight ignores this
// section entirely — it exists for users to define &anchors.
Defaults yaml.Node `yaml:"defaults,omitempty"`
// Forges declares git hosts. Each entry is a host identity (provider, URL, credentials).
Forges []ForgeConfig `yaml:"forges,omitempty"`
// Repos declares projects on forges. References forges by id. Has role (primary/mirror).
Repos []RepoConfig `yaml:"repos,omitempty"`
// Registries declares OCI registry hosts. Referenced by targets.
Registries []RegistryConfig `yaml:"registries,omitempty"`
// Versioning controls how version identity is derived from git state.
Versioning VersioningConfig `yaml:"versioning"`
// Matchers defines reusable named patterns for branches (and future
// dimensions). Pattern definitions only — no behavior. Referenced by
// branch_builds[].match and target.when.branches.
Matchers MatchersConfig `yaml:"matchers"`
// Builds defines named build artifacts.
Builds []BuildConfig `yaml:"builds"`
// Targets defines distribution targets and side-effects.
Targets []TargetConfig `yaml:"targets"`
// Badges defines badge artifact generation (SVGs).
// Badge system owns definitions; narrator references them via badge_ref.
// Artifact serving URL derived from publish-origin repo role.
Badges BadgesConfig `yaml:"badges"`
// Narrator defines content composition for file targets.
Narrator []NarratorFile `yaml:"narrator"`
// Lint holds lint-specific configuration (unchanged from v1).
Lint LintConfig `yaml:"lint"`
// Security holds security scanning configuration (unchanged from v1).
Security SecurityConfig `yaml:"security"`
// Commit holds configuration for the commit subsystem.
Commit CommitConfig `yaml:"commit"`
// Dependency holds configuration for the dependency update subsystem.
Dependency DependencyConfig `yaml:"dependency"`
// Docs holds configuration for the docs generation subsystem.
Docs DocsConfig `yaml:"docs"`
// Manifest holds configuration for the manifest subsystem.
Manifest ManifestConfig `yaml:"manifest"`
// Release holds configuration for the release subsystem.
Release ReleaseConfig `yaml:"release"`
// CI holds all pipeline-related configuration consumed by ci render.
CI CIConfig `yaml:"ci"`
// Lifecycle defines the repository lifecycle mode (image, gitops, governance).
Lifecycle LifecycleConfig `yaml:"lifecycle"`
// Governance defines configuration for the governance lifecycle mode.
// Only valid in the control repo (lifecycle.mode: governance).
Governance GovernanceConfig `yaml:"governance"`
// GitOps defines configuration for the gitops lifecycle mode.
GitOps GitOpsConfig `yaml:"gitops"`
// Docker defines configuration for the docker lifecycle mode.
Docker DockerLifecycleConfig `yaml:"docker"`
// BuildCache defines the build cache subsystem (local, shared, hybrid).
BuildCache BuildCacheConfig `yaml:"build_cache"`
// Glossary defines the repo's shared change-language model.
// Consumed by commit authoring, tag planning, and release rendering.
Glossary GlossaryConfig `yaml:"glossary"`
// Presentation defines surface-specific rendering policies.
Presentation PresentationConfig `yaml:"presentation"`
// Tag holds workflow defaults for the tag planner.
Tag TagConfig `yaml:"tag"`
// Toolchains defines operator control over external tool resolution.
// Version pins, future retention policy, future trust settings.
Toolchains ToolchainConfig `yaml:"toolchains,omitempty"`
}
Config is the top-level StageFreight v2 configuration.
type ConfigReport ¶ added in v0.6.0
type ConfigReport struct {
SourceFile string `json:"source_file"`
Presets []string `json:"presets,omitempty"`
Overrides int `json:"overrides,omitempty"`
Sections []SectionState `json:"sections,omitempty"`
VarsApplied int `json:"vars_applied,omitempty"`
Warnings []string `json:"warnings,omitempty"`
Status string `json:"status"` // "ok" | "partial" | "error"
Completeness string `json:"completeness"` // "complete" | "partial"
Error string `json:"error,omitempty"`
}
ConfigReport is the result of loading and resolving configuration. Surfaces the "Explain" layer of the resolution pipeline.
type ContainerPrunePolicy ¶ added in v0.5.0
type ContainerPrunePolicy struct {
Exited AgePruneRule `yaml:"exited,omitempty"`
}
ContainerPrunePolicy defines container pruning rules.
type CrucibleConfig ¶ added in v0.4.0
type CrucibleConfig struct {
// ToolchainImage is the pinned container image for pass-2 verification.
// e.g., "docker.io/library/golang:1.24-alpine"
ToolchainImage string `yaml:"toolchain_image,omitempty"`
}
CrucibleConfig holds crucible-specific build configuration.
type DependencyCIConfig ¶
type DependencyCIConfig struct {
Handoff DependencyHandoff `yaml:"handoff"` // default: continue
}
DependencyCIConfig controls CI-level behavior when deps creates a commit.
type DependencyCommitConfig ¶
type DependencyCommitConfig struct {
Enabled bool `yaml:"enabled"`
Type string `yaml:"type"`
Message string `yaml:"message"`
Push bool `yaml:"push"`
SkipCI bool `yaml:"skip_ci"`
Promotion DependencyCommitPromotion `yaml:"promotion"` // "direct" or "mr"
MR DependencyMRConfig `yaml:"mr"`
RunFrom RunFromConfig `yaml:"run_from,omitempty"` // gate mutation to declared origin
}
DependencyCommitConfig controls auto-commit behavior for dependency updates.
type DependencyCommitPromotion ¶ added in v0.4.0
type DependencyCommitPromotion string
DependencyCommitPromotion controls how dependency commits reach the target branch.
const ( PromotionDirect DependencyCommitPromotion = "direct" // push to current branch (existing behavior) PromotionMR DependencyCommitPromotion = "mr" // push to unique bot branch, open merge request )
type DependencyConfig ¶
type DependencyConfig struct {
Preset string `yaml:"preset,omitempty"`
Enabled bool `yaml:"enabled"`
Output string `yaml:"output"`
Scope DependencyScopeConfig `yaml:"scope"`
Commit DependencyCommitConfig `yaml:"commit"`
CI DependencyCIConfig `yaml:"ci"`
}
DependencyConfig holds configuration for the dependency update subsystem.
func DefaultDependencyConfig ¶
func DefaultDependencyConfig() DependencyConfig
DefaultDependencyConfig returns sensible defaults for dependency management.
type DependencyHandoff ¶
type DependencyHandoff string
DependencyHandoff controls what happens when dependency repair creates a new commit.
- "continue" — advisory only, current pipeline continues regardless
- "restart_pipeline" — request pipeline rerun on repaired revision; downstream shipping stops
- "fail" — fail hard if repair was needed but couldn't be handed off
const ( HandoffContinue DependencyHandoff = "continue" HandoffRestartPipeline DependencyHandoff = "restart_pipeline" HandoffFail DependencyHandoff = "fail" )
type DependencyMRConfig ¶ added in v0.4.0
type DependencyMRConfig struct {
BranchPrefix string `yaml:"branch_prefix"` // default: "stagefreight/deps"
TargetBranch string `yaml:"target_branch"` // default: "" (CI default branch)
}
DependencyMRConfig controls merge request creation for promotion: mr.
type DependencyScopeConfig ¶
type DependencyScopeConfig struct {
GoModules bool `yaml:"go_modules"`
DockerfileEnv bool `yaml:"dockerfile_env"` // umbrella for docker-image + github-release
}
DependencyScopeConfig controls which dependency ecosystems are managed.
func (DependencyScopeConfig) ScopeToEcosystems ¶
func (s DependencyScopeConfig) ScopeToEcosystems() []string
ScopeToEcosystems converts scope booleans to ecosystem filter strings compatible with dependency.UpdateConfig.Ecosystems. Returns nil (all ecosystems) if all scopes are enabled.
type DetailRule ¶
type DetailRule struct {
Condition `yaml:",inline"`
// Detail is the detail level to use when this rule matches.
// Values: "none", "counts", "detailed", "full".
Detail string `yaml:"detail"`
}
DetailRule is a conditional override for security detail level in release notes. Embeds Condition for standard tag/branch pattern matching.
type DockerDriftPolicy ¶ added in v0.5.0
type DockerDriftPolicy struct {
Tier2Action string `yaml:"tier2_action"` // report | reconcile (default: report)
OrphanAction string `yaml:"orphan_action"` // report | down | prune (default: report)
OrphanThreshold int `yaml:"orphan_threshold"` // block if more than N orphans (default: 5)
PruneRequiresConfirmation bool `yaml:"prune_requires_confirmation"` // require --force for prune (default: true)
}
DockerDriftPolicy configures drift detection behavior.
type DockerIaCConfig ¶ added in v0.5.0
type DockerIaCConfig struct {
// Path is the IaC directory relative to repo root (default: "docker-compose").
Path string `yaml:"path"`
}
DockerIaCConfig defines the IaC directory layout.
type DockerLifecycleConfig ¶ added in v0.5.0
type DockerLifecycleConfig struct {
Preset string `yaml:"preset,omitempty"`
// Backend selects the Docker execution engine (e.g. "compose").
Backend string `yaml:"backend"`
// Targets defines how reconciliation targets are resolved.
Targets DockerTargetsConfig `yaml:"targets"`
// IaC defines the Infrastructure as Code directory layout.
IaC DockerIaCConfig `yaml:"iac"`
// Secrets defines the secrets decryption provider.
Secrets DockerSecretsConfig `yaml:"secrets"`
// Drift defines drift detection and reconciliation policy.
Drift DockerDriftPolicy `yaml:"drift"`
}
DockerLifecycleConfig defines configuration for the docker lifecycle mode. This is Docker lifecycle orchestration, not docker-compose wrapping.
func DefaultDockerLifecycleConfig ¶ added in v0.5.0
func DefaultDockerLifecycleConfig() DockerLifecycleConfig
DefaultDockerLifecycleConfig returns sensible defaults.
type DockerSecretsConfig ¶ added in v0.5.0
type DockerSecretsConfig struct {
// Provider selects the secrets backend (e.g. "sops", "vault", "infisical").
Provider string `yaml:"provider"`
}
DockerSecretsConfig defines the secrets provider.
type DockerTargetSelector ¶ added in v0.5.0
type DockerTargetSelector struct {
Groups []string `yaml:"groups"`
}
DockerTargetSelector declares eligibility via existing inventory groups. Group-based initially. Richer selectors deferred until groups become insufficient.
type DockerTargetsConfig ¶ added in v0.5.0
type DockerTargetsConfig struct {
// Source is the inventory adapter (e.g. "ansible").
Source string `yaml:"source"`
// Inventory is the path to the inventory file (relative to repo root).
Inventory string `yaml:"inventory"`
// Selector declares which hosts from inventory are eligible.
Selector DockerTargetSelector `yaml:"selector"`
}
DockerTargetsConfig defines target resolution for Docker reconciliation.
type DocsCommitConfig ¶
type DocsCommitConfig struct {
Enabled bool `yaml:"enabled"`
Type string `yaml:"type"`
Message string `yaml:"message"`
Add []string `yaml:"add"`
Push bool `yaml:"push"`
SkipCI bool `yaml:"skip_ci"`
RunFrom RunFromConfig `yaml:"run_from,omitempty"` // gate mutation to declared origin
}
DocsCommitConfig controls auto-commit behavior for generated docs.
type DocsConfig ¶
type DocsConfig struct {
Preset string `yaml:"preset,omitempty"`
Enabled bool `yaml:"enabled"`
Generators DocsGeneratorsConfig `yaml:"generators"`
Commit DocsCommitConfig `yaml:"commit"`
}
DocsConfig holds configuration for the docs generation subsystem.
func DefaultDocsConfig ¶
func DefaultDocsConfig() DocsConfig
DefaultDocsConfig returns sensible defaults for docs generation.
type DocsGeneratorsConfig ¶
type DocsGeneratorsConfig struct {
Badges bool `yaml:"badges"`
ReferenceDocs bool `yaml:"reference_docs"`
Narrator bool `yaml:"narrator"`
DockerReadme bool `yaml:"docker_readme"`
}
DocsGeneratorsConfig controls which documentation generators are enabled.
type ExposureRule ¶ added in v0.5.0
type ExposureRule struct {
Level string `yaml:"level"` // internet | intranet | cluster
Endpoints []string `yaml:"endpoints"` // ip:port (highest precedence)
Gateways []string `yaml:"gateways"`
CIDRs []string `yaml:"cidrs"`
Ports []int `yaml:"ports"` // AND with CIDRs (empty = any port)
ServiceTypes []string `yaml:"service_types"` // ClusterIP | NodePort | LoadBalancer
}
ExposureRule classifies endpoints into exposure levels. Match fields are AND within a rule (CIDR AND port if both specified).
type ExposureRules ¶ added in v0.5.0
type ExposureRules struct {
Rules []ExposureRule `yaml:"rules"`
}
ExposureRules defines rule-based endpoint exposure classification. Rules are evaluated by precedence: endpoint > gateway > CIDR > service type. Conflicting equal-precedence rules → unknown. Never first-match-wins.
type ExternalCacheConfig ¶ added in v0.5.0
type ExternalCacheConfig struct {
// Target references a targets[].id with kind: registry.
Target string `yaml:"target,omitempty"`
// Path is appended to the target URL: <target-url>/<path>/<repo>/<branch>.
Path string `yaml:"path,omitempty"`
// Fallback is the read-only fallback branch ref (e.g. "default", "main").
// Never written to unless current ref equals fallback.
Fallback string `yaml:"fallback,omitempty"`
// Mode is the BuildKit cache mode (e.g. "max", "min"). Default: "max".
Mode string `yaml:"mode,omitempty"`
// Retention defines when stale external cache refs are pruned.
Retention ExternalRetention `yaml:"retention,omitempty"`
}
ExternalCacheConfig defines registry-backed shared cache. References an existing target (kind: registry) by ID — no redeclaring registries.
type ExternalRetention ¶ added in v0.5.0
type ExternalRetention struct {
MaxRefs int `yaml:"max_refs,omitempty"` // max branch cache refs per repo
StaleAge string `yaml:"stale_age,omitempty"` // prune refs for dead/merged branches
}
ExternalRetention defines external cache ref lifecycle.
type FilterConfig ¶ added in v0.5.0
type FilterConfig struct {
Summary SummaryFilter `yaml:"summary"`
Trailers TrailerFilter `yaml:"trailers"`
NormalizeWhitespace bool `yaml:"normalize_whitespace"`
}
FilterConfig defines sanitization rules for change summaries.
type ForgeConfig ¶ added in v0.6.0
type ForgeConfig struct {
ID string `yaml:"id"` // unique identifier (e.g., "prplanit-gitlab")
Provider string `yaml:"provider"` // gitlab, github, gitea
URL string `yaml:"url"` // base URL (e.g., "https://gitlab.prplanit.com")
Credentials string `yaml:"credentials,omitempty"` // env var prefix for token resolution
}
ForgeConfig declares a git host. Declared once, referenced by repos. A forge is an identity — provider type, base URL, credentials.
func FindForgeByID ¶ added in v0.6.0
func FindForgeByID(forges []ForgeConfig, id string) *ForgeConfig
FindForgeByID returns the forge with the given id, or nil.
type GitOpsConfig ¶ added in v0.5.0
type GitOpsConfig struct {
Preset string `yaml:"preset,omitempty"`
// Backend selects the GitOps reconciliation backend (e.g. "flux", "argo").
Backend string `yaml:"backend"`
// Cluster defines the target Kubernetes cluster.
Cluster ClusterConfig `yaml:"cluster"`
// OIDC defines authentication configuration for the cluster.
OIDC OIDCConfig `yaml:"oidc"`
}
GitOpsConfig defines configuration for the gitops lifecycle mode.
func DefaultGitOpsConfig ¶ added in v0.5.0
func DefaultGitOpsConfig() GitOpsConfig
DefaultGitOpsConfig returns sensible defaults for gitops configuration.
type GlossaryConfig ¶ added in v0.5.0
type GlossaryConfig struct {
Preset string `yaml:"preset,omitempty"`
Types map[string]GlossaryType `yaml:"types"`
Breaking BreakingConfig `yaml:"breaking"`
Filters FilterConfig `yaml:"filters"`
Rewrites RewriteConfig `yaml:"rewrites"`
Render RenderConfig `yaml:"render"`
}
GlossaryConfig defines the repo's shared change-language model. Consumed by commit authoring, tag planning, and release rendering.
func DefaultGlossaryConfig ¶ added in v0.5.0
func DefaultGlossaryConfig() GlossaryConfig
DefaultGlossaryConfig returns sensible defaults for the glossary.
type GlossaryType ¶ added in v0.5.0
type GlossaryType struct {
Aliases []string `yaml:"aliases,omitempty"`
CanonicalAs string `yaml:"canonical_as,omitempty"` // normalize to this type (e.g., deps → chore)
Priority int `yaml:"priority"`
ReleaseVisible bool `yaml:"release_visible"`
}
GlossaryType defines a single change type's semantics.
type GovernanceCluster ¶ added in v0.5.0
type GovernanceCluster struct {
ID string `yaml:"id"`
Targets GovernanceClusterTargets `yaml:"targets"`
StageFreight map[string]any `yaml:"stagefreight"`
}
GovernanceCluster assigns lifecycle doctrine to a group of repos.
type GovernanceClusterGroup ¶ added in v0.5.0
type GovernanceClusterGroup struct {
ID string `yaml:"id,omitempty"`
Repos []string `yaml:"repos"`
}
GovernanceClusterGroup is a cohort of repos on the same forge.
type GovernanceClusterTargets ¶ added in v0.5.0
type GovernanceClusterTargets struct {
Repos []string `yaml:"repos,omitempty"`
Groups []GovernanceClusterGroup `yaml:"groups,omitempty"`
Credentials string `yaml:"credentials,omitempty"` // env var prefix for forge auth
}
GovernanceClusterTargets identifies which repos belong to this cluster. Supports flat repos list and/or grouped targets with per-group forge identity.
type GovernanceConfig ¶ added in v0.5.0
type GovernanceConfig struct {
Clusters []GovernanceCluster `yaml:"clusters"`
}
GovernanceConfig declares governance clusters for the control repo. Only valid when lifecycle.mode is "governance". Assets (CI skeletons, settings files, etc.) are declared inside each cluster's stagefreight config as assets: entries — no separate skeleton construct.
type HostCleanupConfig ¶ added in v0.5.0
type HostCleanupConfig struct {
// Enabled controls whether cleanup runs. Independent of cache mode.
Enabled bool `yaml:"enabled,omitempty"`
// Enforcement controls what happens when cleanup cannot execute.
// best_effort: continue + structured warning.
// required: fail build immediately.
Enforcement string `yaml:"enforcement,omitempty"`
// Protect defines what is never pruned.
Protect ProtectionPolicy `yaml:"protect,omitempty"`
// Prune defines what is eligible for removal.
Prune PrunePolicy `yaml:"prune,omitempty"`
}
HostCleanupConfig defines host hygiene — classification-first pruning. Not cache — residue cleanup. Object classes match DD-UI's operation types.
type ImageProtection ¶ added in v0.5.0
type ImageProtection struct {
Refs []string `yaml:"refs,omitempty"` // glob patterns
}
ImageProtection defines which images are protected from pruning.
type ImagePrunePolicy ¶ added in v0.5.0
type ImagePrunePolicy struct {
Dangling AgePruneRule `yaml:"dangling,omitempty"`
Unreferenced AgePruneRule `yaml:"unreferenced,omitempty"`
}
ImagePrunePolicy defines image pruning rules by class.
type LifecycleConfig ¶ added in v0.5.0
type LifecycleConfig struct {
Preset string `yaml:"preset,omitempty"`
Mode string `yaml:"mode"` // image | gitops | governance
}
LifecycleConfig defines the repository lifecycle mode.
type LintCacheConfig ¶ added in v0.5.0
type LintCacheConfig struct {
MaxAge string `yaml:"max_age,omitempty"` // evict entries not hit in this duration (e.g. "7d")
MaxSize string `yaml:"max_size,omitempty"` // evict oldest entries when cache exceeds this (e.g. "100MB")
}
LintCacheConfig controls lint result cache lifecycle. Content-addressed caches grow monotonically — every file edit creates a new entry. Without eviction, cache grows unbounded.
type LintConfig ¶
type LintConfig struct {
Preset string `yaml:"preset,omitempty"`
Level Level `yaml:"level"`
CacheDir string `yaml:"cache_dir"`
TargetBranch string `yaml:"target_branch"`
Exclude []string `yaml:"exclude"`
Modules map[string]ModuleConfig `yaml:"modules"`
Cache LintCacheConfig `yaml:"cache,omitempty"`
}
LintConfig holds lint-specific configuration.
func DefaultLintConfig ¶
func DefaultLintConfig() LintConfig
DefaultLintConfig returns production defaults.
type LocalCacheConfig ¶ added in v0.5.0
type LocalCacheConfig struct {
Path string `yaml:"path,omitempty"` // override local cache root (default: /stagefreight/cache/buildkit)
Retention LocalRetention `yaml:"retention,omitempty"`
}
LocalCacheConfig defines bounded local BuildKit cache. Default path: /stagefreight/cache/buildkit (persistent runtime root). Override via Path field for non-standard mounts.
type LocalRetention ¶ added in v0.5.0
type LocalRetention struct {
MaxAge string `yaml:"max_age,omitempty"` // e.g. "7d"
MaxSize string `yaml:"max_size,omitempty"` // e.g. "15GB"
}
LocalRetention defines what local cache is allowed to exist.
type ManifestConfig ¶ added in v0.3.2
type ManifestConfig struct {
Preset string `yaml:"preset,omitempty"`
// Enabled controls whether manifest generation is active (default: false).
Enabled bool `yaml:"enabled"`
// Mode controls where the manifest is stored.
// ephemeral: temp location, use during run, discard after.
// workspace: generate to .stagefreight/manifests/, don't auto-commit.
// commit: generate and include in docs commit.
// publish: generate and export as release asset / CI artifact.
Mode string `yaml:"mode,omitempty"`
// OutputDir is the output directory for manifest files.
// Default: .stagefreight/manifests
OutputDir string `yaml:"output_dir,omitempty"`
}
ManifestConfig holds configuration for the manifest subsystem.
func DefaultManifestConfig ¶ added in v0.3.2
func DefaultManifestConfig() ManifestConfig
DefaultManifestConfig returns sensible defaults for manifest generation.
type MatchersConfig ¶ added in v0.6.0
type MatchersConfig struct {
Preset string `yaml:"preset,omitempty"`
// Branches maps matcher names to regex patterns for branch matching.
// e.g., "main": "^main$"
Branches map[string]string `yaml:"branches"`
}
MatchersConfig defines reusable named patterns for matching branches (and, in the future, other dimensions like events or refs). Matchers are declarative pattern definitions ONLY — they do not carry behavior. They participate in versioning's execution graph via reference (branch_builds look up matchers by name) and in target condition resolution (when.branches look up matchers by name).
Matchers are keyed lookups, not ordered lists — no entry implies priority over another. They are purely id → pattern associations, so a map is the right shape.
func DefaultMatchersConfig ¶ added in v0.6.0
func DefaultMatchersConfig() MatchersConfig
DefaultMatchersConfig returns an empty matchers config.
type MergeEntry ¶ added in v0.6.0
type MergeEntry struct {
Path string // dot-path (e.g., "security.sbom")
Source string // "managed", "local", "preset:preset/security.yml"
SourceRef string // "PrPlanIT/MaintenancePolicy@v1.0.0" for presets
Layer int // resolution depth (0=innermost preset, N=outermost, N+1=managed, N+2=local)
Operation string // "set", "override", "merge", "replace"
Value any
Overridden bool
OverriddenBy string
}
MergeEntry records the provenance of a single config value.
func ResolvePresets ¶ added in v0.6.0
func ResolvePresets(raw map[string]any, loader PresetLoader, sourceRef, sourcePath string, depth int, seen map[string]bool) (map[string]any, []MergeEntry, error)
ResolvePresets walks a config map, finds all preset: references, loads the preset files, validates the single-key invariant, and merges. Recursive: presets may reference other presets (depth-first resolution). sourceRef is the repo identity (e.g., "PrPlanIT/MaintenancePolicy@v1.0.0"). sourcePath is the current file being processed (e.g., "preset/docker-targets.yml"). Returns the resolved config + provenance entries.
type MergeTrace ¶ added in v0.6.0
type MergeTrace struct {
Entries []MergeEntry
}
MergeTrace records how each config value was resolved.
type ModuleConfig ¶
type ModuleConfig struct {
Enabled *bool `yaml:"enabled,omitempty"`
Exclude []string `yaml:"exclude,omitempty"`
Options map[string]any `yaml:"options,omitempty"`
}
ModuleConfig holds per-module overrides.
type NarratorFile ¶
type NarratorFile struct {
// File is the path to the target file (required).
File string `yaml:"file"`
// LinkBase is the base URL for relative link rewriting.
LinkBase string `yaml:"link_base,omitempty"`
// Items are the composable content items for this file.
Items []NarratorItem `yaml:"items"`
}
NarratorFile defines narrator composition for a single file target. v2 flattens the old files[] > sections[] > items[] hierarchy into a 2-level structure: file targets with self-describing items.
type NarratorItem ¶
type NarratorItem struct {
// ID is the item identifier (unique within file).
ID string `yaml:"id"`
// Kind is the item type: badge, shield, text, component, break, include.
Kind string `yaml:"kind"`
// Placement declares where this item goes in the target file.
Placement NarratorPlacement `yaml:"placement"`
// Text is the badge label (left side text).
Text string `yaml:"text,omitempty"`
// Value is the badge value (right side text, supports templates).
Value string `yaml:"value,omitempty"`
// Color is the badge color (hex or "auto").
Color string `yaml:"color,omitempty"`
// Font is the badge font name override.
Font string `yaml:"font,omitempty"`
// FontSize is the badge font size override.
FontSize int `yaml:"font_size,omitempty"`
// Output is the SVG output path for badge generation.
Output string `yaml:"output,omitempty"`
// Link is the clickable URL (kind: badge, shield).
Link string `yaml:"link,omitempty"`
// Shield is the shields.io path (kind: shield).
Shield string `yaml:"shield,omitempty"`
// Content is raw text/markdown content (kind: text).
Content string `yaml:"content,omitempty"`
// Spec is the component spec file path (kind: component).
Spec string `yaml:"spec,omitempty"`
// Path is the file path to include verbatim (kind: include).
Path string `yaml:"path,omitempty"`
// Build is the id of the build whose manifest this item renders
// (kind: build-contents). Ownership is declared, never inferred from build
// list position: when more than one build is configured this is required, so
// reordering or adding builds can never silently change which build's
// inventory a doc section renders. Optional only for single-build configs
// (backward compatibility), where the sole build is unambiguous. Ignored when
// Source is set (an explicit manifest path is even more specific).
Build string `yaml:"build,omitempty"`
// Source is an optional path to a manifest JSON file (kind: build-contents).
// If omitted, uses the current scope manifest.
Source string `yaml:"source,omitempty"`
// Section is the dot-path into the manifest (kind: build-contents).
// e.g., "inventories.pip", "build.args", "security.sbom"
Section string `yaml:"section,omitempty"`
// Renderer is the rendering format (kind: build-contents).
// Supported: "table", "list", "kv".
Renderer string `yaml:"renderer,omitempty"`
// Columns selects which columns to render (kind: build-contents, renderer: table).
Columns []string `yaml:"columns,omitempty"`
// OutputFile is an optional standalone file output path (kind: build-contents).
// When set, the rendered content is written as a standalone file.
// Can be used alongside placement (section embedding) or alone.
OutputFile string `yaml:"output_file,omitempty"`
// Wrap wraps the rendered output in a container element (kind: build-contents).
// Supported: "details" (wraps in <details>/<summary>).
Wrap string `yaml:"wrap,omitempty"`
// Summary is the summary text when wrap=details (required when wrap is set).
Summary string `yaml:"summary,omitempty"`
// Type is the props resolver type ID (kind: props).
Type string `yaml:"type,omitempty"`
// Params are provider-semantic inputs for the props resolver.
Params map[string]string `yaml:"params,omitempty"`
// Label overrides the auto-derived alt text for props.
Label string `yaml:"label,omitempty"`
// Style is a presentation override for shields.io badge style.
Style string `yaml:"style,omitempty"`
// Logo is a presentation override for shields.io logo name.
Logo string `yaml:"logo,omitempty"`
// CatalogPath is the path to a catalog metadata file (kind: k8s-inventory).
// Optional — provides descriptions, friendly names, graveyard, tier overrides.
CatalogPath string `yaml:"catalog,omitempty"`
// Ref is the badge ID to reference (kind: badge_ref).
// Must match an ID defined in the top-level badges: config.
// Narrator does NOT own badge generation — only composition.
Ref string `yaml:"ref,omitempty"`
}
NarratorItem defines a single composable content item. Each item self-describes its kind and placement.
func (NarratorItem) HasGeneration ¶
func (n NarratorItem) HasGeneration() bool
HasGeneration returns true if this badge item should trigger SVG generation. Requires kind: badge + output set.
func (NarratorItem) ToBadgeSpec ¶
func (n NarratorItem) ToBadgeSpec() BadgeSpec
ToBadgeSpec extracts badge generation fields into a reusable BadgeSpec.
type NarratorPlacement ¶
type NarratorPlacement struct {
// Between is a two-element array: [start_marker, end_marker].
// Content is placed relative to these markers.
Between [2]string `yaml:"between,omitempty"`
// After is a regex/literal line match (reserved for future use).
After string `yaml:"after,omitempty"`
// Before is a regex/literal line match (reserved for future use).
Before string `yaml:"before,omitempty"`
// Heading is a markdown heading match (reserved for future use).
Heading string `yaml:"heading,omitempty"`
// Mode controls how content is placed:
// replace (default), append, prepend, above, below.
Mode string `yaml:"mode,omitempty"`
// Inline renders items side-by-side when true (default: false).
Inline bool `yaml:"inline,omitempty"`
}
NarratorPlacement declares where an item goes in its target file. Exactly one selector must be set (Between is the v2 primary selector).
type NetworkPrunePolicy ¶ added in v0.5.0
type NetworkPrunePolicy struct {
Unused bool `yaml:"unused,omitempty"`
}
NetworkPrunePolicy defines network pruning rules.
type NoLineageConfig ¶ added in v0.6.0
type NoLineageConfig struct {
// Mode controls the response to missing lineage.
// "error" (default): fail fast with explanation and suggested fix
// "explicit": use the provided version template
Mode string `yaml:"mode,omitempty"`
// Version is the template used when mode is "explicit".
// Must contain {sha} or {time} — hardcoded versions are rejected.
// e.g., "0.1.0-bootstrap+{sha}"
Version string `yaml:"version,omitempty"`
}
NoLineageConfig defines behavior when no tag source yields a match along the branch rule's base_from search path.
type OIDCConfig ¶ added in v0.5.0
type OIDCConfig struct {
Audience string `yaml:"audience"`
}
OIDCConfig defines OIDC authentication for cluster access. Token is resolved from environment variable STAGEFREIGHT_OIDC at runtime.
type PhraseRewrite ¶ added in v0.5.0
PhraseRewrite replaces exact substrings.
type PresentationConfig ¶ added in v0.5.0
type PresentationConfig struct {
Preset string `yaml:"preset,omitempty"`
Commit CommitPresentation `yaml:"commit"`
Tag TagPresentation `yaml:"tag"`
Release ReleasePresentation `yaml:"release"`
}
PresentationConfig defines surface-specific rendering policies. Same semantic meaning, different editorial treatment per output.
func DefaultPresentationConfig ¶ added in v0.5.0
func DefaultPresentationConfig() PresentationConfig
DefaultPresentationConfig returns sensible defaults.
type PresetLoader ¶ added in v0.6.0
PresetLoader fetches preset content by path. Implementations: local filesystem, git repo checkout.
type ProtectionPolicy ¶ added in v0.5.0
type ProtectionPolicy struct {
Images ImageProtection `yaml:"images,omitempty"`
Volumes VolumeProtection `yaml:"volumes,omitempty"`
}
ProtectionPolicy defines what host objects are never pruned.
type PrunePolicy ¶ added in v0.5.0
type PrunePolicy struct {
Images ImagePrunePolicy `yaml:"images,omitempty"`
BuildCache BuildCachePrunePolicy `yaml:"build_cache,omitempty"`
Containers ContainerPrunePolicy `yaml:"containers,omitempty"`
Networks NetworkPrunePolicy `yaml:"networks,omitempty"`
}
PrunePolicy defines which host objects are eligible for removal.
type RegexRewrite ¶ added in v0.5.0
RegexRewrite replaces regex matches.
type RegistryConfig ¶ added in v0.6.0
type RegistryConfig struct {
ID string `yaml:"id"` // unique identifier (e.g., "dockerhub")
Provider string `yaml:"provider"` // docker, harbor, ghcr, quay, gitea, generic
URL string `yaml:"url"` // registry URL (e.g., "docker.io")
Credentials string `yaml:"credentials,omitempty"` // env var prefix for token resolution
DefaultPath string `yaml:"default_path,omitempty"` // default image path (e.g., "{var:org}/{var:repo}")
}
RegistryConfig declares an OCI registry host. Declared once, referenced by targets.
func FindRegistryByID ¶ added in v0.6.0
func FindRegistryByID(registries []RegistryConfig, id string) *RegistryConfig
FindRegistryByID returns the registry with the given id, or nil.
type ReleaseConfig ¶
type ReleaseConfig struct {
Preset string `yaml:"preset,omitempty"`
Enabled bool `yaml:"enabled"`
Required *bool `yaml:"required,omitempty"` // failure is hard pipeline fail (default: false)
SecuritySummary string `yaml:"security_summary"`
RegistryLinks bool `yaml:"registry_links"`
CatalogLinks bool `yaml:"catalog_links"`
RunFrom RunFromConfig `yaml:"run_from,omitempty"` // gate mutation to declared origin
}
ReleaseConfig holds configuration for the release subsystem.
func DefaultReleaseConfig ¶
func DefaultReleaseConfig() ReleaseConfig
DefaultReleaseConfig returns sensible defaults for release management.
func (ReleaseConfig) IsRequired ¶ added in v0.5.0
func (r ReleaseConfig) IsRequired() bool
IsRequired returns whether release failure is a hard pipeline fail. Default: false.
type ReleasePresentation ¶ added in v0.5.0
type ReleasePresentation struct {
MaxEntries int `yaml:"max_entries"`
GroupByType bool `yaml:"group_by_type"`
Style string `yaml:"style"` // concise | explanatory | technical
IncludeReleaseVisibleOnly bool `yaml:"include_release_visible_only"`
}
ReleasePresentation controls release notes rendering.
type RenderConfig ¶ added in v0.5.0
type RenderConfig struct {
EmptyStrategy string `yaml:"empty_strategy"` // prompt | fail | allow_empty
}
RenderConfig controls glossary-level output defaults. Surface-specific max entries live in presentation config.
type RepoConfig ¶ added in v0.6.0
type RepoConfig struct {
ID string `yaml:"id"` // unique identifier
Forge string `yaml:"forge"` // references forges[].id
Project string `yaml:"project"` // project path on the forge (e.g., "{var:gitlab_group}/{var:repo}")
Roles []string `yaml:"roles,omitempty"` // ["primary"] | ["mirror"] | ["mirror", "publish-origin"] | []
Branches BranchesConfig `yaml:"branches,omitempty"` // branch identity (default, protected, etc.)
Worktree string `yaml:"worktree,omitempty"` // local working tree path (primary only)
Ref string `yaml:"ref,omitempty"` // pinned ref for non-primary repos (governance, presets)
Sync SyncConfig `yaml:"sync,omitempty"` // mirror sync domains
}
RepoConfig declares a project on a forge. References forge by id. Roles are explicit and composable:
- "primary": exactly 1 required — authoritative source
- "mirror": 0 to many — derivative copies
- "publish-origin": 0 or 1 — where rendered artifacts are served from
- empty: addressable, no special behavior
Forbidden combinations: primary + mirror (authoritative ≠ derivative). Allowed combinations: publish-origin + primary, publish-origin + mirror.
func FindRepoByID ¶ added in v0.6.0
func FindRepoByID(repos []RepoConfig, id string) *RepoConfig
FindRepoByID returns the repo with the given id, or nil.
func FindRepoWithRole ¶ added in v0.6.0
func FindRepoWithRole(repos []RepoConfig, role string) *RepoConfig
FindRepoWithRole returns the first repo that has the given role, or nil.
func MirrorRepos ¶ added in v0.6.0
func MirrorRepos(repos []RepoConfig) []RepoConfig
MirrorRepos returns all repos with the mirror role.
func (RepoConfig) HasRole ¶ added in v0.6.0
func (r RepoConfig) HasRole(role string) bool
HasRole returns true if the repo has the given role.
type ResolvedRegistry ¶ added in v0.6.0
type ResolvedRegistry struct {
ID string
Provider string // from registry
URL string // from registry
Path string // from registry default_path or target override
Credentials string // from registry
}
ResolvedRegistry is a fully resolved registry target with all identity fields populated from the registry graph. Ready for buildx/push.
func ResolveRegistryForTarget ¶ added in v0.6.0
func ResolveRegistryForTarget(target TargetConfig, registries []RegistryConfig, vars map[string]string) (*ResolvedRegistry, error)
ResolveRegistryForTarget resolves a target's registry identity from the registry graph. Path comes from target override or registry default_path.
type ResolvedRepo ¶ added in v0.6.0
type ResolvedRepo struct {
ID string
Provider string // from forge
BaseURL string // from forge
Project string // from repo
Credentials string // from forge
Roles []string // from repo (primary, mirror, publish-origin)
DefaultBranch string // flattened from repo.Branches.Default
Worktree string
Ref string
Sync SyncConfig
}
ResolvedRepo is a fully resolved repo with all identity fields populated from the forge + repo graph. Ready for forge client creation.
DefaultBranch is the flattened view of repo.Branches.Default — resolved once at load time so consumers don't need to know the nested shape.
func ResolveAllMirrors ¶ added in v0.6.0
func ResolveAllMirrors(repos []RepoConfig, forges []ForgeConfig, vars map[string]string) ([]*ResolvedRepo, error)
ResolveAllMirrors resolves all mirror repos against the forge graph.
func ResolvePrimary ¶ added in v0.6.0
func ResolvePrimary(repos []RepoConfig, forges []ForgeConfig, vars map[string]string) (*ResolvedRepo, error)
ResolvePrimary resolves the primary repo against the forge graph.
func ResolveRepo ¶ added in v0.6.0
func ResolveRepo(repo RepoConfig, forges []ForgeConfig, vars map[string]string) (*ResolvedRepo, error)
ResolveRepo resolves a repo entry against the forge graph. Returns error if the referenced forge doesn't exist.
func (ResolvedRepo) HasRole ¶ added in v0.6.0
func (r ResolvedRepo) HasRole(role string) bool
HasRole returns true if the resolved repo has the given role.
type RetentionPolicy ¶
type RetentionPolicy struct {
KeepLast int `yaml:"keep_last"` // keep the N most recent tags
KeepDaily int `yaml:"keep_daily"` // keep one per day for the last N days
KeepWeekly int `yaml:"keep_weekly"` // keep one per week for the last N weeks
KeepMonthly int `yaml:"keep_monthly"` // keep one per month for the last N months
KeepYearly int `yaml:"keep_yearly"` // keep one per year for the last N years
Protect []string `yaml:"protect"` // tag patterns that are never deleted (v2)
}
RetentionPolicy defines how many tags/releases to keep using time-bucketed rules. Policies are additive — a tag survives if ANY rule wants to keep it. This mirrors restic's forget policy.
func (RetentionPolicy) Active ¶
func (r RetentionPolicy) Active() bool
Active returns true if any retention rule is configured.
func (*RetentionPolicy) UnmarshalYAML ¶
func (r *RetentionPolicy) UnmarshalYAML(value *yaml.Node) error
UnmarshalYAML implements custom unmarshaling so retention accepts both:
retention: 10 → RetentionPolicy{KeepLast: 10}
retention:
keep_last: 3
keep_daily: 7 → RetentionPolicy{KeepLast: 3, KeepDaily: 7}
type RewriteConfig ¶ added in v0.5.0
type RewriteConfig struct {
Phrases []PhraseRewrite `yaml:"phrases,omitempty"`
Regex []RegexRewrite `yaml:"regex,omitempty"`
}
RewriteConfig defines deterministic text transformations.
type RoutingConfig ¶ added in v0.6.0
type RoutingConfig struct {
Perform RoutingSpec `yaml:"perform,omitempty"`
}
RoutingConfig declares per-phase routing requirements.
type RoutingSpec ¶ added in v0.6.0
type RoutingSpec struct {
Labels []string `yaml:"labels,omitempty"`
}
RoutingSpec declares runner placement labels for a single phase.
type RunFromConfig ¶ added in v0.6.0
type RunFromConfig struct {
Allow []string `yaml:"allow,omitempty"` // permitted origins: "primary"
Mismatch string `yaml:"mismatch,omitempty"` // "read-only" (default), "exit", "ignore"
}
RunFromConfig gates mutation to declared execution origins. Attached to mutating surfaces (release, docs.commit, dependency.commit, targets).
func (RunFromConfig) IsActive ¶ added in v0.6.0
func (rf RunFromConfig) IsActive() bool
IsActive returns true if run_from has any allow rules configured.
type RunFromResult ¶ added in v0.6.0
type RunFromResult struct {
Matched bool // true if current context matches an allowed origin
Mode string // "read-only", "exit", "ignore", or "" (no restriction)
Reason string // human-readable explanation (empty when matched or unconfigured)
}
RunFromResult is the evaluated outcome of a run_from guard.
func EvaluateRunFrom ¶ added in v0.6.0
func EvaluateRunFrom(rf RunFromConfig, ciRepoURL, primaryURL string) RunFromResult
EvaluateRunFrom checks whether the current execution context is authorized to perform a mutation guarded by a run_from config.
ciRepoURL is the CI execution context (SF_CI_REPO_URL). primaryURL is sources.primary.url from config.
type ScannerCacheConfig ¶ added in v0.5.0
type ScannerCacheConfig struct {
MaxSize string `yaml:"max_size,omitempty"` // e.g. "500MB" — full-clear when exceeded
MaxAge string `yaml:"max_age,omitempty"` // e.g. "7d" — full-clear when oldest file exceeds age
}
ScannerCacheConfig is the cache policy for a single scanner. Any field set = persistent cache enabled for this tool. All fields empty = no StageFreight-managed persistence (tool defaults). Eviction is full-clear (opaque DBs, no granular eviction).
type ScannersConfig ¶
type ScannersConfig struct {
Trivy *bool `yaml:"trivy,omitempty"` // run Trivy image scan (default: true)
Grype *bool `yaml:"grype,omitempty"` // run Grype image scan (default: true)
}
ScannersConfig controls which vulnerability scanners are enabled. Both default to true — scanners still require their binary in PATH. Uses *bool so omitting a key preserves the default instead of zeroing it.
func (ScannersConfig) GrypeEnabled ¶
func (s ScannersConfig) GrypeEnabled() bool
GrypeEnabled returns whether Grype scanning is enabled (default: true).
func (ScannersConfig) TrivyEnabled ¶
func (s ScannersConfig) TrivyEnabled() bool
TrivyEnabled returns whether Trivy scanning is enabled (default: true).
type SectionState ¶ added in v0.6.0
type SectionState struct {
Name string `json:"name"`
Kind string `json:"kind"` // "execution" | "capability" | "structural"
Active bool `json:"active"`
SourcePresent bool `json:"source_present"`
Provenance string `json:"provenance"` // "manifest" | "preset" | "none"
ResolutionStatus string `json:"resolution_status"` // "resolved" | "partial" | "none"
}
SectionState is the resolved state of one config domain section.
Provenance only applies when Active == true. When Active == false, Provenance MUST be "none" — inactive sections have no provenance because they do not exist in the runtime model.
type SecurityCacheConfig ¶ added in v0.5.0
type SecurityCacheConfig struct {
Trivy ScannerCacheConfig `yaml:"trivy,omitempty"`
Grype ScannerCacheConfig `yaml:"grype,omitempty"`
}
SecurityCacheConfig controls persistent vuln DB caching per scanner tool. These are opaque tool-managed directories — StageFreight hosts and bounds them, but does not manage their internal structure.
type SecurityConfig ¶
type SecurityConfig struct {
Preset string `yaml:"preset,omitempty"`
Enabled bool `yaml:"enabled"` // run vulnerability scanning (default: true)
Required *bool `yaml:"required,omitempty"` // failure is hard pipeline fail (default: false)
Scanners ScannersConfig `yaml:"scanners"` // per-scanner toggles
SBOMEnabled bool `yaml:"sbom"` // generate SBOM artifacts (default: true)
FailOnCritical bool `yaml:"fail_on_critical"` // fail the pipeline if critical vulns found
OutputDir string `yaml:"output"` // directory for scan artifacts (default: .stagefreight/security)
// ReleaseDetail is the default detail level for security info in release notes.
// Values: "none", "counts", "detailed", "full" (default: "counts").
ReleaseDetail string `yaml:"release_detail"`
// ReleaseDetailRules are conditional overrides evaluated top-down (first match wins).
// Uses the standard Condition primitive for tag/branch matching with ! negation.
ReleaseDetailRules []DetailRule `yaml:"release_detail_rules"`
// Cache controls persistent vulnerability DB caching per scanner.
// Each tool's max_size triggers full-clear when exceeded (opaque DBs, no granular eviction).
// Empty/omitted per tool = no StageFreight-managed persistence for that tool.
Cache SecurityCacheConfig `yaml:"cache,omitempty"`
// OverwhelmMessage is the message lines shown when >1000 vulns are found.
// Defaults to ["…maybe start here:"] with the OverwhelmLink below.
OverwhelmMessage []string `yaml:"overwhelm_message"`
// OverwhelmLink is an optional URL appended after OverwhelmMessage.
// Defaults to a Psychology Today anxiety page. Empty string disables.
OverwhelmLink string `yaml:"overwhelm_link"`
}
SecurityConfig holds security scanning configuration.
func DefaultSecurityConfig ¶
func DefaultSecurityConfig() SecurityConfig
DefaultSecurityConfig returns sensible defaults for security scanning.
func (SecurityConfig) IsRequired ¶ added in v0.5.0
func (s SecurityConfig) IsRequired() bool
IsRequired returns whether security failure is a hard pipeline fail. Default: false.
type SummaryFilter ¶ added in v0.5.0
type SummaryFilter struct {
StripPhrases []string `yaml:"strip_phrases,omitempty"`
StripRegex []string `yaml:"strip_regex,omitempty"`
}
SummaryFilter strips content from commit subjects.
type SyncConfig ¶ added in v0.4.1
type SyncConfig struct {
// Git enables authoritative mirror replication via git push --mirror.
// All refs, branches, tags, deletions, force updates. This is the
// foundation — artifact sync runs only after mirror succeeds.
Git bool `yaml:"git,omitempty"`
// Releases enables forge-native release projection (notes, assets, links).
// Runs after git mirror succeeds. Tag is the identity key.
Releases bool `yaml:"releases,omitempty"`
// Docs enables README/doc file projection via forge commit API.
// Mutually exclusive with Git (docs arrive through git mirror).
// Only valid when Git is false.
Docs bool `yaml:"docs,omitempty"`
}
SyncConfig declares which sync domains a mirror repo receives. Git mirror is the foundation; artifact projection is subordinate and gated on mirror success for the same accessory.
type TagConfig ¶ added in v0.5.0
type TagConfig struct {
Preset string `yaml:"preset,omitempty"`
Defaults TagDefaults `yaml:"defaults"`
Message TagMessage `yaml:"message"`
}
TagConfig holds workflow defaults for the tag planner.
func DefaultTagConfig ¶ added in v0.5.0
func DefaultTagConfig() TagConfig
DefaultTagConfig returns sensible defaults.
type TagDefaults ¶ added in v0.5.0
type TagDefaults struct {
Target string `yaml:"target"` // default ref to tag (default: HEAD)
Preview bool `yaml:"preview"` // show preview before creating
RequireApproval bool `yaml:"require_approval"` // require interactive approval
Push bool `yaml:"push"` // push after creation
}
TagDefaults controls default tag planning behavior.
type TagMessage ¶ added in v0.5.0
type TagMessage struct {
Mode string `yaml:"mode"` // auto | prompt_if_missing | require_manual
EmptyStrategy string `yaml:"empty_strategy"` // prompt | fail | allow_empty
}
TagMessage controls tag annotation message behavior.
type TagPresentation ¶ added in v0.5.0
type TagPresentation struct {
MaxEntries int `yaml:"max_entries"`
GroupByType bool `yaml:"group_by_type"`
Style string `yaml:"style"` // concise | explanatory | technical
IncludeReleaseVisibleOnly bool `yaml:"include_release_visible_only"`
CollapseSimilar bool `yaml:"collapse_similar"`
}
TagPresentation controls tag annotation rendering.
type TagSourceConfig ¶ added in v0.6.0
type TagSourceConfig struct {
// ID is the unique identifier (e.g. "stable", "prerelease").
// Referenced by branch_builds[].base_from and target.when.git_tags.
ID string `yaml:"id"`
// Pattern is the regex that identifies tags belonging to this source.
// e.g., "^v?\\d+\\.\\d+\\.\\d+$"
Pattern string `yaml:"pattern"`
}
TagSourceConfig is a named tag pattern used for version lineage candidates.
type TargetCondition ¶
type TargetCondition struct {
// Branches lists branch filters. Each entry is a policy name or "re:<regex>".
// Empty = no branch filtering.
Branches []string `yaml:"branches,omitempty"`
// GitTags lists git tag filters. Each entry is a policy name or "re:<regex>".
// Empty = no tag filtering.
GitTags []string `yaml:"git_tags,omitempty"`
// Events lists CI event type filters.
// Supported: push, tag, release, schedule, manual, pull_request, merge_request.
// Empty = no event filtering.
Events []string `yaml:"events,omitempty"`
}
TargetCondition defines routing conditions for a target. All non-empty fields must match (AND logic).
type TargetConfig ¶
type TargetConfig struct {
// ID is the unique identifier for this target (logging, status, enable/disable).
ID string `yaml:"id"`
// Kind is the target type. Determines which fields are valid.
Kind string `yaml:"kind"`
// Build references a BuildConfig.ID. Required for kind: registry.
Build string `yaml:"build,omitempty"`
// When specifies routing conditions for this target.
When TargetCondition `yaml:"when,omitempty"`
// RunFrom gates mutation to declared execution origins.
// e.g. ["primary"] — only mutate when running from sources.primary.
// Empty = no restriction (backward compat).
RunFrom RunFromConfig `yaml:"run_from,omitempty"`
// SelectTags enables CLI filtering via --select.
SelectTags []string `yaml:"select_tags,omitempty"`
// Registry references a registries[].id for registry/docker-readme targets.
// When set, URL/Provider/Path/Credentials are resolved from the registry entry.
// Path can still be overridden on the target (overrides registry default_path).
Registry string `yaml:"registry,omitempty"`
// URL is the registry/forge hostname (kind: registry, docker-readme, release).
URL string `yaml:"url,omitempty"`
// Provider is the vendor type for auth and API behavior.
// Registry: docker, ghcr, gitlab, jfrog, harbor, quay, gitea, generic.
// Release: github, gitlab, gitea.
// If omitted on registry/docker-readme, inferred from URL.
Provider string `yaml:"provider,omitempty"`
// Path is the image path within the registry (kind: registry, docker-readme).
Path string `yaml:"path,omitempty"`
// Credentials is the env var prefix for authentication.
// Resolution: try {PREFIX}_TOKEN first, else {PREFIX}_USER + {PREFIX}_PASS.
Credentials string `yaml:"credentials,omitempty"`
// Description is a short description override (kind: registry, docker-readme).
Description string `yaml:"description,omitempty"`
// Retention controls cleanup of old tags/releases.
// Structured only in v2 (no scalar shorthand).
Retention *RetentionPolicy `yaml:"retention,omitempty"`
// Tags are tag templates resolved against version info (kind: registry).
// e.g., ["{version}", "{major}.{minor}", "latest"]
Tags []string `yaml:"tags,omitempty"`
// NativeScan enables post-push vulnerability scanning via the registry's own built-in scanner.
// Distinct from StageFreight's own scan pipeline (Trivy/Grype run by StageFreight itself).
// Currently supported: Harbor (triggers Harbor's built-in Trivy after each push).
// No-op for Docker Hub, GHCR, Quay, JFrog, and other providers.
// Best-effort — scan failures warn but do not fail the build.
// Push success does not imply scan success; results appear in the registry UI only.
NativeScan bool `yaml:"native_scan,omitempty"`
// File is the path to the README file (kind: docker-readme).
File string `yaml:"file,omitempty"`
// LinkBase is the base URL for relative link rewriting (kind: docker-readme).
LinkBase string `yaml:"link_base,omitempty"`
// SpecFiles lists component spec file paths (kind: gitlab-component).
SpecFiles []string `yaml:"spec_files,omitempty"`
// Catalog enables GitLab Catalog registration (kind: gitlab-component).
Catalog bool `yaml:"catalog,omitempty"`
// Aliases are rolling git tag aliases (kind: release).
// e.g., ["{version}", "{major}.{minor}", "latest"]
// Named "aliases" to avoid collision with Tags (image tags) and git_tags (policy filters).
Aliases []string `yaml:"aliases,omitempty"`
// ProjectID is the "owner/repo" or numeric ID for remote forge targets (kind: release).
ProjectID string `yaml:"project_id,omitempty"`
// Mirror references a sources.mirrors[].id for release sync.
// Forge identity (provider, url, project_id, credentials) is resolved from the mirror.
// Avoids restating forge connection details in the target.
Mirror string `yaml:"mirror,omitempty"`
// SyncRelease syncs release notes + tags to a remote forge (kind: release, remote only).
SyncRelease bool `yaml:"sync_release,omitempty"`
// SyncAssets syncs scan artifacts to a remote forge (kind: release, remote only).
SyncAssets bool `yaml:"sync_assets,omitempty"`
// Archives references a binary-archive target ID (kind: release only).
Archives string `yaml:"archives,omitempty"`
// BinaryName overrides the binary name inside the archive (kind: binary-archive).
// Auto-detected from referenced build if omitted.
BinaryName string `yaml:"binary_name,omitempty"`
// Format is the archive format: "tar.gz", "zip", or "auto" (kind: binary-archive).
// "auto" picks zip for windows, tar.gz for everything else. Default: "auto".
Format string `yaml:"format,omitempty"`
// Name is the archive filename template (kind: binary-archive).
// Supports: {id}, {version}, {os}, {arch}. e.g., "{id}-{version}-{os}-{arch}".
Name string `yaml:"name,omitempty"`
// Include lists extra files to bundle into the archive (kind: binary-archive).
// e.g., ["README.md", "LICENSE"]
Include []string `yaml:"include,omitempty"`
// Checksums generates a SHA256SUMS file alongside archives (kind: binary-archive).
Checksums bool `yaml:"checksums,omitempty"`
}
TargetConfig defines a distribution target or side-effect. Each target has a unique ID and a kind that determines which fields are valid.
This is a discriminated union keyed by Kind. Only fields relevant to the kind should be set — validated at load time.
Target kinds:
- registry: Push image tags to a container registry (requires build reference)
- docker-readme: Sync README to a container registry (standalone)
- gitlab-component: Publish to GitLab CI component catalog (standalone)
- release: Create forge release + rolling git tags (standalone)
func (TargetConfig) IsRemoteRelease ¶
func (t TargetConfig) IsRemoteRelease() bool
IsRemoteRelease returns true if this release target references a remote forge, either via explicit forge fields or via a mirror reference.
type ToolPinConfig ¶ added in v0.6.0
type ToolPinConfig struct {
Version string `yaml:"version,omitempty"`
}
ToolPinConfig declares the desired version for a single tool.
type ToolchainConfig ¶ added in v0.6.0
type ToolchainConfig struct {
// Desired declares intended tool versions. Authoritative — not a hint.
// If a desired version fails to resolve, the system fails. No fallback.
Desired map[string]ToolPinConfig `yaml:"desired,omitempty"`
}
ToolchainConfig defines operator control over external tool resolution. Top-level in .stagefreight.yml because toolchains are execution substrate, not CI-specific — they run in security scanning, signing, linting, gitops.
type TrailerFilter ¶ added in v0.5.0
type TrailerFilter struct {
StripKeys []string `yaml:"strip_keys,omitempty"`
}
TrailerFilter strips commit trailers/footers.
type VersioningConfig ¶ added in v0.6.0
type VersioningConfig struct {
Preset string `yaml:"preset,omitempty"`
// TagSources defines named places where version bases can come from.
// e.g., {id: "stable", pattern: "^v?\\d+\\.\\d+\\.\\d+$"}
// Globally eligible, no inherent priority. Order is declaration-preserving
// but semantically flat — priority lives on branch rules, not here.
TagSources []TagSourceConfig `yaml:"tag_sources"`
// BranchBuilds defines version format for non-tag commits per branch.
// Evaluated in declaration order; first matching rule wins. An entry with
// id: "default" is required and must be the last entry — it catches any
// branch that did not match a named rule.
BranchBuilds []BranchBuildConfig `yaml:"branch_builds,omitempty"`
// NoLineage defines behavior when no tag lineage exists (no matching tags).
NoLineage NoLineageConfig `yaml:"no_lineage,omitempty"`
}
VersioningConfig controls how version identity is derived from git state. This is the single source of truth for version meaning — git provides raw facts (tags, commits, branches), versioning rules decide what they mean.
Precedence: tag match > branch_builds > no_lineage
A branch defines a path through tag sources; the first reachable match defines the version. That is the entire versioning contract.
func DefaultVersioningConfig ¶ added in v0.6.0
func DefaultVersioningConfig() VersioningConfig
DefaultVersioningConfig returns a versioning config with sensible defaults.
type VolumeProtection ¶ added in v0.5.0
type VolumeProtection struct {
Named *bool `yaml:"named,omitempty"` // protect all named volumes
}
VolumeProtection defines which volumes are protected from pruning.
Source Files
¶
- authority.go
- badge.go
- build.go
- buildcache.go
- ci.go
- commit.go
- conditions.go
- config.go
- dependency.go
- docker.go
- docker_lifecycle.go
- docs.go
- forges.go
- gitops.go
- glossary.go
- lifecycle.go
- lint.go
- manifest.go
- match.go
- matchers.go
- migrate.go
- narrator.go
- normalize.go
- presentation.go
- preset.go
- release.go
- report.go
- resolve.go
- retention.go
- security.go
- sources.go
- tag.go
- target.go
- toolchain.go
- units.go
- validate.go
- versioning.go