container-source-policy-windows-arm64 0.1.3 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +73 -24
- package/bin/container-source-policy.exe +0 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -1,43 +1,50 @@
|
|
|
1
1
|
# container-source-policy
|
|
2
2
|
|
|
3
|
-
Generate a Docker BuildKit **source policy** file
|
|
3
|
+
Generate a Docker BuildKit **source policy** file by parsing Dockerfiles and pinning `FROM` images to immutable digests.
|
|
4
4
|
|
|
5
5
|
This helps make `docker buildx build` inputs reproducible without rewriting your Dockerfile.
|
|
6
6
|
|
|
7
|
+
See the [BuildKit documentation on build reproducibility](https://github.com/moby/buildkit/blob/master/docs/build-repro.md) for more details on source policies.
|
|
8
|
+
|
|
7
9
|
## Quick start
|
|
8
10
|
|
|
9
11
|
```bash
|
|
10
12
|
container-source-policy pin --stdout Dockerfile > source-policy.json
|
|
11
|
-
docker buildx build
|
|
13
|
+
EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=source-policy.json docker buildx build -t my-image:dev .
|
|
12
14
|
```
|
|
13
15
|
|
|
16
|
+
> **Note:** [`EXPERIMENTAL_BUILDKIT_SOURCE_POLICY`](https://docs.docker.com/build/building/variables/#experimental_buildkit_source_policy) is the environment variable used by Docker Buildx to specify a source policy file.
|
|
17
|
+
|
|
14
18
|
## Install
|
|
15
19
|
|
|
16
|
-
|
|
20
|
+
Run directly without installing (recommended):
|
|
17
21
|
|
|
18
22
|
```bash
|
|
19
|
-
|
|
20
|
-
|
|
23
|
+
# npm/bun
|
|
24
|
+
npx container-source-policy --help
|
|
25
|
+
bunx container-source-policy --help
|
|
21
26
|
|
|
22
|
-
|
|
27
|
+
# Python
|
|
28
|
+
uvx container-source-policy --help
|
|
23
29
|
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
container-source-policy --help
|
|
30
|
+
# Ruby (requires RubyGems 3.3+)
|
|
31
|
+
gem exec container-source-policy --help
|
|
27
32
|
```
|
|
28
33
|
|
|
29
|
-
|
|
34
|
+
Or install globally:
|
|
30
35
|
|
|
31
36
|
```bash
|
|
32
|
-
|
|
33
|
-
container-source-policy
|
|
34
|
-
```
|
|
37
|
+
# Go (build from source)
|
|
38
|
+
go install github.com/tinovyatkin/container-source-policy@latest
|
|
35
39
|
|
|
36
|
-
|
|
40
|
+
# npm
|
|
41
|
+
npm i -g container-source-policy
|
|
37
42
|
|
|
38
|
-
|
|
43
|
+
# Python
|
|
44
|
+
pipx install container-source-policy
|
|
45
|
+
|
|
46
|
+
# Ruby
|
|
39
47
|
gem install container-source-policy
|
|
40
|
-
container-source-policy --help
|
|
41
48
|
```
|
|
42
49
|
|
|
43
50
|
## Usage
|
|
@@ -60,10 +67,16 @@ Write directly to a file:
|
|
|
60
67
|
container-source-policy pin --output source-policy.json Dockerfile
|
|
61
68
|
```
|
|
62
69
|
|
|
63
|
-
Then pass the policy to BuildKit / Buildx:
|
|
70
|
+
Then pass the policy to BuildKit / Buildx via the environment variable:
|
|
71
|
+
|
|
72
|
+
```bash
|
|
73
|
+
EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=source-policy.json docker buildx build .
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
Or use `buildctl` directly with the `--source-policy-file` flag:
|
|
64
77
|
|
|
65
78
|
```bash
|
|
66
|
-
|
|
79
|
+
buildctl build --frontend dockerfile.v0 --local dockerfile=. --local context=. --source-policy-file source-policy.json
|
|
67
80
|
```
|
|
68
81
|
|
|
69
82
|
Shell completion scripts are available via Cobra:
|
|
@@ -74,15 +87,49 @@ container-source-policy completion zsh
|
|
|
74
87
|
|
|
75
88
|
## What gets pinned
|
|
76
89
|
|
|
77
|
-
|
|
90
|
+
### Container images (`FROM`, `COPY --from`, `ONBUILD`)
|
|
91
|
+
|
|
92
|
+
- Looks at `FROM …`, `COPY --from=<image>`, and their `ONBUILD` variants across all provided Dockerfiles.
|
|
78
93
|
- Skips:
|
|
79
94
|
- `FROM scratch`
|
|
80
|
-
- `FROM <stage>` references to a previous named build stage
|
|
81
|
-
- `
|
|
95
|
+
- `FROM <stage>` / `COPY --from=<stage>` references to a previous named build stage
|
|
96
|
+
- `COPY --from=0` numeric stage indices
|
|
97
|
+
- `FROM ${VAR}` / `COPY --from=${VAR}` (unexpanded ARG/ENV variables)
|
|
82
98
|
- images already written as `name@sha256:…`
|
|
83
99
|
- Resolves the image manifest digest from the registry and emits BuildKit `CONVERT` rules of the form:
|
|
84
100
|
- `docker-image://<as-written-in-Dockerfile>` → `docker-image://<normalized>@sha256:…`
|
|
85
101
|
|
|
102
|
+
### HTTP sources (`ADD`, `ONBUILD ADD`)
|
|
103
|
+
|
|
104
|
+
- Looks at `ADD <url> …` and `ONBUILD ADD <url> …` instructions with HTTP/HTTPS URLs.
|
|
105
|
+
- Skips:
|
|
106
|
+
- `ADD --checksum=… <url>` (already pinned)
|
|
107
|
+
- URLs containing unexpanded variables (`${VAR}`, `$VAR`)
|
|
108
|
+
- Git URLs (handled separately, see below)
|
|
109
|
+
- Volatile content (emits warning): URLs returning `Cache-Control: no-store`, `no-cache`, `max-age=0`, or expired `Expires` headers
|
|
110
|
+
- Fetches the checksum and emits `CONVERT` rules with `http.checksum` attribute.
|
|
111
|
+
- **Respects `Vary` header**: captures request headers that affect response content (e.g., `User-Agent`, `Accept-Encoding`) and includes them in the policy as `http.header.*` attributes to ensure reproducible builds.
|
|
112
|
+
|
|
113
|
+
**Optimized checksum fetching** — avoids downloading large files when possible:
|
|
114
|
+
- `raw.githubusercontent.com`: extracts SHA256 from ETag header
|
|
115
|
+
- GitHub releases: uses the API `digest` field (set `GITHUB_TOKEN` for higher rate limits)
|
|
116
|
+
- S3: uses `x-amz-checksum-sha256` response header (by sending `x-amz-checksum-mode: ENABLED`)
|
|
117
|
+
- Fallback: downloads and computes SHA256
|
|
118
|
+
|
|
119
|
+
### Git sources (`ADD`, `ONBUILD ADD`)
|
|
120
|
+
|
|
121
|
+
- Looks at `ADD <git-url> …` and `ONBUILD ADD <git-url> …` instructions with Git repository URLs.
|
|
122
|
+
- Supports various Git URL formats:
|
|
123
|
+
- `https://github.com/owner/repo.git#ref`
|
|
124
|
+
- `git://host/path#ref`
|
|
125
|
+
- `git@github.com:owner/repo#ref`
|
|
126
|
+
- `ssh://git@host/path#ref`
|
|
127
|
+
- Skips URLs containing unexpanded variables (`${VAR}`, `$VAR`)
|
|
128
|
+
- Uses `git ls-remote` to resolve the ref (branch, tag, or commit) to a commit SHA
|
|
129
|
+
- Emits `CONVERT` rules with `git.checksum` attribute (full 40-character commit SHA)
|
|
130
|
+
|
|
131
|
+
Example: `ADD https://github.com/cli/cli.git#v2.40.0 /dest` pins to commit `54d56cab...`
|
|
132
|
+
|
|
86
133
|
## Development
|
|
87
134
|
|
|
88
135
|
```bash
|
|
@@ -100,11 +147,13 @@ UPDATE_SNAPS=true go test ./internal/integration/...
|
|
|
100
147
|
## Repository layout
|
|
101
148
|
|
|
102
149
|
- `cmd/container-source-policy/cmd/`: Cobra CLI commands
|
|
103
|
-
- `internal/dockerfile`: Dockerfile parsing (`FROM` extraction)
|
|
104
|
-
- `internal/registry`: registry client (digest resolution)
|
|
150
|
+
- `internal/dockerfile`: Dockerfile parsing (`FROM` and `ADD` extraction)
|
|
151
|
+
- `internal/registry`: registry client (image digest resolution)
|
|
152
|
+
- `internal/http`: HTTP client (URL checksum fetching with optimizations)
|
|
153
|
+
- `internal/git`: Git client (commit SHA resolution via git ls-remote)
|
|
105
154
|
- `internal/policy`: BuildKit source policy types and JSON output
|
|
106
155
|
- `internal/pin`: orchestration logic for `pin`
|
|
107
|
-
- `internal/integration`: end-to-end tests with
|
|
156
|
+
- `internal/integration`: end-to-end tests with mock registry/HTTP server and snapshots
|
|
108
157
|
- `packaging/`: wrappers for publishing prebuilt binaries to npm / PyPI / RubyGems
|
|
109
158
|
|
|
110
159
|
## Packaging
|
|
Binary file
|