container-source-policy-windows-arm64 0.2.0 → 0.3.0

package/README.md

@@ -87,24 +87,28 @@ container-source-policy completion zsh
 
 ## What gets pinned
 
-### Container images (`FROM`)
+### Container images (`FROM`, `COPY --from`, `ONBUILD`)
 
-- Looks at `FROM …` instructions across all provided Dockerfiles.
+- Looks at `FROM …`, `COPY --from=<image>`, and their `ONBUILD` variants across all provided Dockerfiles.
 - Skips:
   - `FROM scratch`
-  - `FROM <stage>` references to a previous named build stage
-  - `FROM ${VAR}` / `FROM $VAR` (unexpanded ARG/ENV variables)
+  - `FROM <stage>` / `COPY --from=<stage>` references to a previous named build stage
+  - `COPY --from=0` numeric stage indices
+  - `FROM ${VAR}` / `COPY --from=${VAR}` (unexpanded ARG/ENV variables)
   - images already written as `name@sha256:…`
 - Resolves the image manifest digest from the registry and emits BuildKit `CONVERT` rules of the form:
   - `docker-image://<as-written-in-Dockerfile>` → `docker-image://<normalized>@sha256:…`
 
-### HTTP sources (`ADD`)
+### HTTP sources (`ADD`, `ONBUILD ADD`)
 
-- Looks at `ADD <url> …` instructions with HTTP/HTTPS URLs.
+- Looks at `ADD <url> …` and `ONBUILD ADD <url> …` instructions with HTTP/HTTPS URLs.
 - Skips:
   - `ADD --checksum=… <url>` (already pinned)
   - URLs containing unexpanded variables (`${VAR}`, `$VAR`)
+  - Git URLs (handled separately, see below)
+  - Volatile content (emits warning): URLs returning `Cache-Control: no-store`, `no-cache`, `max-age=0`, or expired `Expires` headers
 - Fetches the checksum and emits `CONVERT` rules with `http.checksum` attribute.
+- **Respects `Vary` header**: captures request headers that affect response content (e.g., `User-Agent`, `Accept-Encoding`) and includes them in the policy as `http.header.*` attributes to ensure reproducible builds.
 
 **Optimized checksum fetching** — avoids downloading large files when possible:
 - `raw.githubusercontent.com`: extracts SHA256 from ETag header
@@ -112,6 +116,20 @@ container-source-policy completion zsh
 - S3: uses `x-amz-checksum-sha256` response header (by sending `x-amz-checksum-mode: ENABLED`)
 - Fallback: downloads and computes SHA256
 
+### Git sources (`ADD`, `ONBUILD ADD`)
+
+- Looks at `ADD <git-url> …` and `ONBUILD ADD <git-url> …` instructions with Git repository URLs.
+- Supports various Git URL formats:
+  - `https://github.com/owner/repo.git#ref`
+  - `git://host/path#ref`
+  - `git@github.com:owner/repo#ref`
+  - `ssh://git@host/path#ref`
+- Skips URLs containing unexpanded variables (`${VAR}`, `$VAR`)
+- Uses `git ls-remote` to resolve the ref (branch, tag, or commit) to a commit SHA
+- Emits `CONVERT` rules with `git.checksum` attribute (full 40-character commit SHA)
+
+Example: `ADD https://github.com/cli/cli.git#v2.40.0 /dest` pins to commit `54d56cab...`
+
 ## Development
 
 ```bash
@@ -132,6 +150,7 @@ UPDATE_SNAPS=true go test ./internal/integration/...
 - `internal/dockerfile`: Dockerfile parsing (`FROM` and `ADD` extraction)
 - `internal/registry`: registry client (image digest resolution)
 - `internal/http`: HTTP client (URL checksum fetching with optimizations)
+- `internal/git`: Git client (commit SHA resolution via git ls-remote)
 - `internal/policy`: BuildKit source policy types and JSON output
 - `internal/pin`: orchestration logic for `pin`
 - `internal/integration`: end-to-end tests with mock registry/HTTP server and snapshots

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "container-source-policy-windows-arm64",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "The windows arm64 binary for container-source-policy",
   "repository": {
     "type": "git",