README
¶
StageFreight
The world's a stage, give it a pipeline.
A declarative lifecycle runtime that governs Git as the source of truth, enforcing operator-defined intent across GitOps workflows, Kubernetes, Docker, and CI ecosystems. StageFreight is open-source, self-building, and replaces fragile shell-script CI pipelines with a single Go binary driven by one .stagefreight.yml file. There's a setting for every stage — this is theatre.
Features:
| Detect → Plan → Build | Finds Dockerfiles, resolves tags from git, builds multi-platform images via docker buildx |
| Multi-Registry Push | Docker Hub, GHCR, GitLab, Quay, Harbor, JFrog, Gitea — with branch/tag filtering via regex (! negation) |
| Security Scanning | Trivy + Grype vulnerability scan, Syft SBOM generation, configurable detail levels per branch or tag |
| Cross-Forge Releases | Create releases on GitLab, GitHub, or Gitea with auto-generated notes, badges, and cross-platform sync |
| Cache-Aware Linting | 9 lint modules run in parallel, delta-only on changed files, with JUnit reporting for CI |
| Retention Policies | Restic-style tag retention (keep_last, daily, weekly, monthly, yearly) across all registry providers |
| Self-Building | StageFreight builds itself — this image is produced by stagefreight docker build |
Documentation:
| CLI Reference | Full Command Reference |
| Config Reference | Full Config Schema |
| Manifest Examples | 24 Example Configs · Quick Examples |
| Roadmap | Full Vision |
| GitLab CI Component | Component Reference · Template |
Quick Start
# .stagefreight.yml
version: 1
builds:
- id: myapp
kind: docker
platforms: [linux/amd64]
targets:
- id: dockerhub
kind: registry
build: myapp
url: docker.io
path: yourorg/yourapp
tags: ["{version}", "latest"]
when: { events: [tag] }
credentials: DOCKER
# .gitlab-ci.yml
build-image:
image: docker.io/prplanit/stagefreight:latest-dev
services:
- docker.io/library/docker:27-dind
script:
- stagefreight docker build
rules:
- if: '$CI_COMMIT_TAG'
# or run locally
docker run --rm -v "$(pwd)":/src -w /src \
-v /var/run/docker.sock:/var/run/docker.sock \
docker.io/prplanit/stagefreight:latest-dev \
sh -c 'git config --global --add safe.directory /src && stagefreight docker build --local'
CLI Commands
stagefreight docker build # detect → plan → lint → build → push → retention
stagefreight docker readme # sync README to container registries
stagefreight lint # run lint modules on the working tree
stagefreight security scan # trivy + grype scan + SBOM generation
stagefreight release create # create forge release with notes + sync
stagefreight release notes # generate release notes from git log
stagefreight release badge # generate/commit release status badge SVG
stagefreight release prune # prune old releases via retention policy
stagefreight badge generate # generate SVG badges from config
stagefreight narrator run # compose narrator items into target files
stagefreight narrator compose # ad-hoc CLI-driven composition
stagefreight docs generate # generate CLI + config reference docs
stagefreight component docs # generate component input documentation
stagefreight dependency update # update dependencies with freshness analysis
stagefreight migrate # migrate config to latest schema version
stagefreight version # print version info
See CLI Reference for full flag documentation.
Image Contents
Base Images
Runtime Packages
Looking for a minimal image?
| Image | Purpose |
|---|---|
prplanit/stagefreight:0.1.1 |
Last pre-CLI release — vanilla DevOps toolchain (bash, docker-cli, buildx, python3, yq, jq, etc.) |
prplanit/ansible-oci |
Ansible-native image — Python 3.13 + Alpine 3.22, ansible-core, ansible-lint, sops, rage, pywinrm, kubernetes.core, community.docker, community.sops |
Starting from 0.2.0, prplanit/stagefreight includes the Go CLI binary and is purpose-built for stagefreight docker build workflows.
Contributing
- Fork the repository
- Submit Pull Requests / Merge Requests
- Open issues with ideas, bugs, or feature requests
Disclaimer
The Software provided hereunder is licensed "as-is," without warranties of any kind. The developer makes no promises about functionality, performance, or availability. Not responsible if StageFreight replaces your entire CI pipeline and you find yourself with free time you didn't expect, your retention policies work so well your registry bill drops and finance gets confused, or your release notes become more detailed than the actual features they describe.
Any resemblance to working software is entirely intentional but not guaranteed. The developer claims no credit for anything that actually goes right — that's all you and the unstoppable force of the Open Source community.
License
Distributed under the AGPL-3.0-only License. See LICENSING.md for commercial licensing.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
stagefreight-gen-banner
command
Command stagefreight-gen-banner generates a Go source file containing the StageFreight logo as an ANSI-escaped string constant.
|
Command stagefreight-gen-banner generates a Go source file containing the StageFreight logo as an ANSI-escaped string constant. |
|
internal
|
|
|
src
|
|
|
atomicfile
Package atomicfile provides atomic file write operations.
|
Package atomicfile provides atomic file write operations. |
|
badge
Package badge provides a configurable SVG badge engine with dynamic font measurement.
|
Package badge provides a configurable SVG badge engine with dynamic font measurement. |
|
build/contributors
Package contributors holds the build-strategy contributors that supply rows into a perform run's domains.
|
Package contributors holds the build-strategy contributors that supply rows into a perform run's domains. |
|
build/domains
Package domains makes a perform run a single domain-ordered narrative.
|
Package domains makes a perform run a single domain-ordered narrative. |
|
build/engines
Package engines contains all built-in build engines.
|
Package engines contains all built-in build engines. |
|
cas
Package cas is StageFreight's content-addressed artifact store: it retains the exact OCI layout bytes produced by a single perform-stage build so that review and publish operate on those bytes rather than re-deriving the image.
|
Package cas is StageFreight's content-addressed artifact store: it retains the exact OCI layout bytes produced by a single perform-stage build so that review and publish operate on those bytes rather than re-deriving the image. |
|
ci/render/azuredevops
Package azuredevops renders a StageFreight pipeline to an Azure DevOps pipeline.
|
Package azuredevops renders a StageFreight pipeline to an Azure DevOps pipeline. |
|
ci/render/forgejo
Package forgejo renders a StageFreight pipeline to a Forgejo Actions workflow.
|
Package forgejo renders a StageFreight pipeline to a Forgejo Actions workflow. |
|
ci/render/gitea
Package gitea renders a StageFreight pipeline to a Gitea Actions workflow.
|
Package gitea renders a StageFreight pipeline to a Gitea Actions workflow. |
|
ci/render/github
Package github renders a StageFreight pipeline to a GitHub Actions workflow.
|
Package github renders a StageFreight pipeline to a GitHub Actions workflow. |
|
ci/render/gitlab
Package gitlab lowers a forge-neutral model.Pipeline to GitLab CI YAML.
|
Package gitlab lowers a forge-neutral model.Pipeline to GitLab CI YAML. |
|
ci/render/internal/actions
Package actions is a private serialization backend: it writes a forge-neutral model.Pipeline out in the GitHub Actions workflow wire format.
|
Package actions is a private serialization backend: it writes a forge-neutral model.Pipeline out in the GitHub Actions workflow wire format. |
|
ci/render/internal/azurepipelines
Package azurepipelines is a private serialization backend: it writes a forge-neutral model.Pipeline out as an Azure DevOps pipeline (azure-pipelines.yml).
|
Package azurepipelines is a private serialization backend: it writes a forge-neutral model.Pipeline out as an Azure DevOps pipeline (azure-pipelines.yml). |
|
ci/render/model
Package model defines the forge-neutral CI pipeline types.
|
Package model defines the forge-neutral CI pipeline types. |
|
cli
command
|
|
|
component
Package component provides GitLab CI component spec parsing and documentation generation for the `stagefreight component` command family.
|
Package component provides GitLab CI component spec parsing and documentation generation for the `stagefreight component` command family. |
|
credentials
Package credentials provides centralized registry credential resolution.
|
Package credentials provides centralized registry credential resolution. |
|
docker
Package docker provides Docker lifecycle orchestration for StageFreight.
|
Package docker provides Docker lifecycle orchestration for StageFreight. |
|
fonts
Package fonts provides embedded TTF fonts shared across StageFreight packages.
|
Package fonts provides embedded TTF fonts shared across StageFreight packages. |
|
forge
Package forge provides a platform-agnostic abstraction over git forges (GitLab, GitHub, Gitea/Forgejo).
|
Package forge provides a platform-agnostic abstraction over git forges (GitLab, GitHub, Gitea/Forgejo). |
|
gitops
Package gitops provides Flux CD graph discovery, change impact analysis, and reconciliation coordination.
|
Package gitops provides Flux CD graph discovery, change impact analysis, and reconciliation coordination. |
|
gitver
Package gitver provides git-based version detection and tag template resolution.
|
Package gitver provides git-based version detection and tag template resolution. |
|
governance
Package governance re-exports preset resolution from src/config.
|
Package governance re-exports preset resolution from src/config. |
|
k8s
Package k8s provides Kubernetes cluster discovery for the k8s-inventory narrator module.
|
Package k8s provides Kubernetes cluster discovery for the k8s-inventory narrator module. |
|
lint/modules
Package modules contains all built-in lint modules.
|
Package modules contains all built-in lint modules. |
|
lint/modules/freshness
Package freshness checks for outdated dependencies across ecosystems: Dockerfile base images, pinned tool versions, Go modules, Rust crates, npm packages, Alpine APK, Debian/Ubuntu APT, and pip packages.
|
Package freshness checks for outdated dependencies across ecosystems: Dockerfile base images, pinned tool versions, Go modules, Rust crates, npm packages, Alpine APK, Debian/Ubuntu APT, and pip packages. |
|
lint/modules/osv
Package osv runs osv-scanner against lockfiles to detect known vulnerabilities from the OSV database.
|
Package osv runs osv-scanner against lockfiles to detect known vulnerabilities from the OSV database. |
|
manifest
Package manifest defines the StageFreight manifest schema and deterministic JSON serialization.
|
Package manifest defines the StageFreight manifest schema and deterministic JSON serialization. |
|
narrator
Package narrator composes modules into managed README sections.
|
Package narrator composes modules into managed README sections. |
|
output/layout
Package layout provides terminal-aware text layout primitives.
|
Package layout provides terminal-aware text layout primitives. |
|
output/termutil
Package termutil detects terminal constraints for output layout.
|
Package termutil detects terminal constraints for output layout. |
|
postbuild
Package postbuild contains post-build hook adapters that coordinate between the pipeline framework and external system packages (registry, badge, etc.).
|
Package postbuild contains post-build hook adapters that coordinate between the pipeline framework and external system packages (registry, badge, etc.). |
|
promote
Package promote distributes a content-store OCI layout to a registry WITHOUT rebuilding and WITHOUT a daemon round-trip, preserving the exact index digest that perform recorded and review verified.
|
Package promote distributes a content-store OCI layout to a registry WITHOUT rebuilding and WITHOUT a daemon round-trip, preserving the exact index digest that perform recorded and review verified. |
|
props
Package props implements the composable presentation subsystem.
|
Package props implements the composable presentation subsystem. |
|
registry
Package registry provides a platform-agnostic abstraction over container registries (Docker Hub, GitLab, GHCR, Quay, JFrog, Harbor, Gitea).
|
Package registry provides a platform-agnostic abstraction over container registries (Docker Hub, GitLab, GHCR, Quay, JFrog, Harbor, Gitea). |
|
release
Package release handles release notes generation, release creation, and cross-platform sync.
|
Package release handles release notes generation, release creation, and cross-platform sync. |
|
retention
Package retention implements a restic-style retention engine that works with any named+timestamped items (registry tags, forge releases, etc).
|
Package retention implements a restic-style retention engine that works with any named+timestamped items (registry tags, forge releases, etc). |
|
runner
Package runner implements execution substrate introspection.
|
Package runner implements execution substrate introspection. |
|
security
Package security provides vulnerability scanning and SBOM generation.
|
Package security provides vulnerability scanning and SBOM generation. |
|
ssh
Package ssh provides SSH authentication and host key resolution for all SSH transports in StageFreight.
|
Package ssh provides SSH authentication and host key resolution for all SSH transports in StageFreight. |
|
sync
Package sync implements forge accessory synchronization.
|
Package sync implements forge accessory synchronization. |
|
toolchain
Package toolchain provides a governed execution substrate for external tools.
|
Package toolchain provides a governed execution substrate for external tools. |
|
trace
Package trace implements the truth emission model for StageFreight.
|
Package trace implements the truth emission model for StageFreight. |
Click to show internal directories.
Click to hide internal directories.