Documentation
¶
Overview ¶
Package promote distributes a content-store OCI layout to a registry WITHOUT rebuilding and WITHOUT a daemon round-trip, preserving the exact index digest that perform recorded and review verified.
This is the trust-chain's final link: publish must distribute the same bytes (digest D) that review approved. The daemon path (docker load → push) is disqualified because the daemon collapses the OCI index and re-addresses it, producing a DIFFERENT digest D′ — silently breaking "review approves X, publish distributes X". go-containerregistry writes the layout's manifests and blobs straight to the registry over the OCI distribution protocol, so the index digest is preserved (verified empirically: layout digest == registry digest).
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Result ¶
type Result struct {
Ref string // fully-qualified pushed reference (registry/path:tag)
Digest string // the index digest served by the registry after push
}
Result reports what a promotion published.
func LayoutToRegistry ¶
func LayoutToRegistry(ctx context.Context, layoutDir, ref, wantDigest string, auth authn.Authenticator) (Result, error)
LayoutToRegistry pushes the OCI layout at layoutDir to ref (e.g. "docker.io/org/app:v1"), preserving wantDigest. It returns an error if the layout's index digest does not equal wantDigest before push (refusing to distribute bytes whose identity does not match what was recorded/reviewed) or if the registry serves a different digest after push (catching any transport transformation). Auth comes from the ambient keychain (docker config), with an optional explicit override.
wantDigest is the artifact.Digest recorded in outputs.json — the identity review approved. This function is the point where "publish distributes exactly digest D" is enforced, not assumed.
Source Files