oci

package
v0.10.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 25, 2026 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// MediaTypePixiConfig is the media type for pixi config (empty JSON)
	MediaTypePixiConfig = "application/vnd.pixi.config.v1+toml"
	// MediaTypePixiToml is the media type for pixi.toml manifest
	MediaTypePixiToml = "application/vnd.pixi.toml.v1+toml"
	// MediaTypePixiLock is the media type for pixi.lock lockfile
	MediaTypePixiLock = "application/vnd.pixi.lock.v1+yaml"
	// MediaTypeNebiAsset is the media type for arbitrary bundled workspace
	// files. Path is carried in the layer's AnnotationTitle.
	MediaTypeNebiAsset = "application/vnd.nebi.asset.v1"
)

Variables

This section is empty.

Functions

func ChangeRepositoryVisibility 

func ChangeRepositoryVisibility(ctx context.Context, host, repoPath, apiToken string, isPublic bool) error

ChangeRepositoryVisibility changes the visibility of a repository on Quay.io. It calls the Quay.io API: POST /api/v1/repository/{repo}/changevisibility

func IsNebiRepository 

func IsNebiRepository(ctx context.Context, repoRef string, opts BrowseOptions) bool

IsNebiRepository checks if a repository contains a Nebi OCI image by inspecting the manifest config media type of the first available tag.

func ParseRegistryURL 

func ParseRegistryURL(rawURL string) (host, namespace string)

ParseRegistryURL splits a registry URL into its host and optional namespace. For example, "quay.io/nebari" returns host="quay.io", namespace="nebari". A plain host like "quay.io" returns namespace="".

func ParseRegistryURLFull added in v0.10.4 

func ParseRegistryURLFull(rawURL string) (host, namespace string, plainHTTP bool)

ParseRegistryURLFull is like ParseRegistryURL but also reports whether the URL explicitly used the http:// scheme. Only an explicit http:// is treated as opt-in plaintext; a scheme-less URL defaults to HTTPS. Intended so local/test registries can signal "plain HTTP" by writing their URL with http://.

func PreviewAssetRefs added in v0.10.5 

func PreviewAssetRefs(workspaceDir string) ([]contenthash.AssetRef, error)

PreviewAssetRefs walks a workspace directory with the same filters Publish applies, and returns each asset (paths relative to workspaceDir, forward-slash) paired with its SHA-256 content digest. pixi.toml and pixi.lock are stripped — callers fold those in through contenthash.HashBundle's first two arguments. The digest is the SHA-256 of the file bytes, not an OCI blob digest, but both the CLI-local publish path and the server publish-defaults derive the hash the same way from the same bytes, so the resulting tag is stable across paths.

func PublishWorkspace 

func PublishWorkspace(ctx context.Context, envPath string, opts PublishOptions) (string, error)

PublishWorkspace is a thin shim retained for the server caller. It publishes pixi.toml + pixi.lock from envPath (no walker) — equivalent to PublishPixiOnly applied to a pre-assembled repository string. Returns the manifest digest so the caller's existing signature is preserved.

func StripScheme added in v0.10.4 

func StripScheme(ref string) (stripped string, plainHTTP bool)

StripScheme removes an http:// or https:// prefix from an OCI reference and reports whether the original was plain HTTP. Scheme-less input is returned as-is with plainHTTP=false (defaults to HTTPS). Shared by the registry URL parser and the CLI import command.

Types

type Asset added in v0.10.4 

type Asset struct {
	RelPath string
	AbsPath string
	Size    int64
}

Asset is a single file bundled into a Nebi OCI artifact beyond the core pixi.toml / pixi.lock layers. RelPath is the bundle-relative path (forward slashes); AbsPath is the resolved on-disk source. Callers normally never construct this — Preview and the internal walker do.

func Preview added in v0.10.4 

func Preview(ctx context.Context, workspaceDir string) ([]Asset, error)

Preview returns the files Publish would bundle, in deterministic order, without touching the network. Useful for pre-publish confirmation UI and future "nebi bundle ls"-style commands.

type AssetBlob added in v0.10.4 

type AssetBlob struct {
	Path string
}

AssetBlob names a single asset layer in a bundle. It is a listing entry; the blob bytes are never carried in-memory — ExtractBundle streams each asset straight to disk.

type BrowseOptions 

type BrowseOptions struct {
	RegistryHost string
	Username     string
	Password     string
}

BrowseOptions contains options for browsing an OCI registry

type PublishOption added in v0.10.4 

type PublishOption func(*publishConfig)

PublishOption tunes Publish / PublishPixiOnly. Zero options = defaults.

func WithConcurrency added in v0.10.4 

func WithConcurrency(n int) PublishOption

WithConcurrency bounds parallel blob pushes. Values ≤ 0 fall back to the default (8).

func WithExtraTags added in v0.10.4 

func WithExtraTags(tags ...string) PublishOption

WithExtraTags applies additional tags to the manifest after the primary tag lands. There is no implicit "latest" — callers opt in explicitly.

func WithProgress added in v0.10.4 

func WithProgress(fn func(label string, pushed, total int)) PublishOption

WithProgress installs a per-blob progress callback. Called once per blob after it completes successfully. The callback must be safe to call concurrently.

type PublishOptions 

type PublishOptions struct {
	Repository   string
	Tag          string
	ExtraTags    []string
	Username     string
	Password     string
	RegistryHost string
}

PublishOptions is the pre-bundle publish option shape. Kept for the server-side caller (internal/service/workspace_publishing.go) which builds a concatenated repository string rather than a Registry struct. New callers should use Publish / PublishPixiOnly instead.

type PublishResult added in v0.10.4 

type PublishResult struct {
	Repository string // fully-qualified host/namespace/repo
	Tag        string
	Digest     string // sha256:... of the manifest
	AssetCount int    // files bundled beyond pixi.toml/pixi.lock
}

PublishResult summarizes a successful publish.

func Publish added in v0.10.4 

func Publish(
	ctx context.Context,
	workspaceDir string,
	reg Registry,
	repo, tag string,
	opts ...PublishOption,
) (PublishResult, error)

Publish publishes the workspace at workspaceDir to reg/repo:tag. The workspace is walked using hardcoded drops (.git/, .pixi/) → [tool.nebi.bundle].include → .gitignore → [tool.nebi.bundle].exclude → force-include of pixi.toml/pixi.lock. pixi.toml and pixi.lock always become typed layers 0 and 1; every surviving file rides as a MediaTypeNebiAsset layer. Unsafe asset paths abort before any blob leaves the process.

func PublishPixiOnly added in v0.10.4 

func PublishPixiOnly(
	ctx context.Context,
	coreDir string,
	reg Registry,
	repo, tag string,
	opts ...PublishOption,
) (PublishResult, error)

PublishPixiOnly publishes only pixi.toml and pixi.lock from coreDir, producing a legacy two-layer bundle byte-compatible with pre-bundle artifacts. The walker is never invoked; stray files in coreDir are ignored. Intended for server-side publish, where no user workspace exists on disk.

type PullOptions added in v0.10.4 

type PullOptions struct {
	Username    string
	Password    string
	Concurrency int // ≤ 0 uses default (8)
	// PlainHTTP talks to the registry over HTTP. Test/local registries
	// only.
	PlainHTTP bool
	// MaxBundleBytes caps the total size of all classified layers in the
	// manifest (sum of pixi.toml + pixi.lock + every asset). Enforced
	// before the first byte is fetched, so an attacker-controlled
	// registry cannot exhaust disk by streaming a multi-GB asset blob.
	// Zero or negative = no cap.
	MaxBundleBytes int64
}

PullOptions controls an OCI bundle pull.

type PullResult 

type PullResult struct {
	PixiToml string      `json:"pixi_toml"`
	PixiLock string      `json:"pixi_lock"`
	Assets   []AssetBlob `json:"assets,omitempty"`
	// Digest is the sha256 of the manifest this result was built from.
	// Callers that peeked via PullBundle can hand it back to a
	// digest-pinned extract so a mutable tag cannot swap content out
	// from under them between calls.
	Digest string `json:"digest,omitempty"`
}

PullResult contains the metadata pulled from a registry tag. PixiToml and PixiLock hold the core layer contents (small text files, always buffered). Assets lists every asset layer's path; the blob bytes are not populated because asset payloads can be arbitrarily large and only make sense as on-disk files (see ExtractBundle).

func ExtractBundle added in v0.10.4 

func ExtractBundle(ctx context.Context, repoRef, tag, destDir string, opts PullOptions) (*PullResult, error)

ExtractBundle pulls a bundle from the registry and writes every layer (pixi.toml, pixi.lock, each asset) to destDir, streaming each blob straight from the network to disk — no asset ever lands fully in RAM. Honors the layer's AnnotationTitle as the on-disk relative path. destDir is created if missing; caller is responsible for the "empty destination" policy (see cmd/nebi/import.go).

Implementation delegates blob transfer to oras.Copy over a file.Store rooted at destDir. That gives us streamed I/O, parallel fetches configured via opts.Concurrency, and file.Store's AllowPathTraversalOnWrite=false default as defense-in-depth over the pre-validated titles.

func PullBundle added in v0.10.4 

func PullBundle(ctx context.Context, repoRef, tag string, opts PullOptions) (*PullResult, error)

PullBundle fetches a bundle's metadata from the registry: pixi.toml and pixi.lock contents (small text files, always buffered) plus the list of asset layer paths. Asset blob bytes are NOT fetched — callers that need the bytes on disk should use ExtractBundle instead.

func PullEnvironment 

func PullEnvironment(ctx context.Context, repoRef, tag string, opts BrowseOptions) (*PullResult, error)

PullEnvironment is a backward-compatible alias that fetches only the pixi.toml + pixi.lock layers of a bundle. Asset layers (if any) are listed in the returned result's Assets slice but never fetched.

type Registry added in v0.10.4 

type Registry struct {
	Host      string
	Namespace string
	Username  string
	Password  string
	PlainHTTP bool
}

Registry identifies an OCI registry endpoint plus credentials. Host is the scheme-less hostname (e.g. "ghcr.io", "localhost:5000"). PlainHTTP forces HTTP — dev/test registries only.

type RepositoryInfo 

type RepositoryInfo struct {
	Name     string `json:"name"`
	IsPublic *bool  `json:"is_public,omitempty"`
}

RepositoryInfo contains information about a repository

func FilterNebiRepositories 

func FilterNebiRepositories(ctx context.Context, repos []RepositoryInfo, host string, opts BrowseOptions) []RepositoryInfo

FilterNebiRepositories filters a list of repositories to only include those that contain Nebi OCI images. It checks repositories concurrently with a semaphore.

func ListRepositories 

func ListRepositories(ctx context.Context, opts BrowseOptions) ([]RepositoryInfo, error)

ListRepositories queries the /v2/_catalog endpoint for a registry

func ListRepositoriesViaQuayAPI 

func ListRepositoriesViaQuayAPI(ctx context.Context, host, namespace, apiToken string) ([]RepositoryInfo, error)

ListRepositoriesViaQuayAPI lists repositories using Quay.io's REST API, following pagination via the `next_page` cursor. Used as a fallback when the standard /v2/_catalog endpoint isn't supported. If an API token is provided, it is sent as a Bearer token so private repos surface too; public=true is always set so public repos come back regardless of auth.

func ListRepositoriesViaQuayAPIWithClient added in v0.10.4 

func ListRepositoriesViaQuayAPIWithClient(ctx context.Context, host, namespace, apiToken string, client *http.Client) ([]RepositoryInfo, error)

ListRepositoriesViaQuayAPIWithClient is the injectable-client form of ListRepositoriesViaQuayAPI. The public entry point delegates here with http.DefaultClient; tests aim at an httptest server by passing a configured client.

type TagInfo 

type TagInfo struct {
	Name string `json:"name"`
}

TagInfo contains information about a tag

func ListTags 

func ListTags(ctx context.Context, repoRef string, opts BrowseOptions) ([]TagInfo, error)

ListTags lists all tags for a given repository reference

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.