container-source-policy 0.1.3 → 0.2.0

package/README.md

@@ -1,43 +1,50 @@
 # container-source-policy
 
-Generate a Docker BuildKit **source policy** file (`docker buildx build --source-policy-file …`) by parsing Dockerfiles and pinning `FROM` images to immutable digests.
+Generate a Docker BuildKit **source policy** file by parsing Dockerfiles and pinning `FROM` images to immutable digests.
 
 This helps make `docker buildx build` inputs reproducible without rewriting your Dockerfile.
 
+See the [BuildKit documentation on build reproducibility](https://github.com/moby/buildkit/blob/master/docs/build-repro.md) for more details on source policies.
+
 ## Quick start
 
 ```bash
 container-source-policy pin --stdout Dockerfile > source-policy.json
-docker buildx build --source-policy-file source-policy.json -t my-image:dev .
+EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=source-policy.json docker buildx build -t my-image:dev .
 ```
 
+> **Note:** [`EXPERIMENTAL_BUILDKIT_SOURCE_POLICY`](https://docs.docker.com/build/building/variables/#experimental_buildkit_source_policy) is the environment variable used by Docker Buildx to specify a source policy file.
+
 ## Install
 
-### Go (build from source)
+Run directly without installing (recommended):
 
 ```bash
-go install github.com/tinovyatkin/container-source-policy@latest
-```
+# npm/bun
+npx container-source-policy --help
+bunx container-source-policy --help
 
-### npm (prebuilt binary)
+# Python
+uvx container-source-policy --help
 
-```bash
-npm i -g container-source-policy
-container-source-policy --help
+# Ruby (requires RubyGems 3.3+)
+gem exec container-source-policy --help
 ```
 
-### PyPI (prebuilt binary)
+Or install globally:
 
 ```bash
-pipx install container-source-policy
-container-source-policy --help
-```
+# Go (build from source)
+go install github.com/tinovyatkin/container-source-policy@latest
 
-### RubyGems (prebuilt binary)
+# npm
+npm i -g container-source-policy
 
-```bash
+# Python
+pipx install container-source-policy
+
+# Ruby
 gem install container-source-policy
-container-source-policy --help
 ```
 
 ## Usage
@@ -60,10 +67,16 @@ Write directly to a file:
 container-source-policy pin --output source-policy.json Dockerfile
 ```
 
-Then pass the policy to BuildKit / Buildx:
+Then pass the policy to BuildKit / Buildx via the environment variable:
+
+```bash
+EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=source-policy.json docker buildx build .
+```
+
+Or use `buildctl` directly with the `--source-policy-file` flag:
 
 ```bash
-docker buildx build --source-policy-file source-policy.json .
+buildctl build --frontend dockerfile.v0 --local dockerfile=. --local context=. --source-policy-file source-policy.json
 ```
 
 Shell completion scripts are available via Cobra:
@@ -74,6 +87,8 @@ container-source-policy completion zsh
 
 ## What gets pinned
 
+### Container images (`FROM`)
+
 - Looks at `FROM …` instructions across all provided Dockerfiles.
 - Skips:
   - `FROM scratch`
@@ -83,6 +98,20 @@ container-source-policy completion zsh
 - Resolves the image manifest digest from the registry and emits BuildKit `CONVERT` rules of the form:
   - `docker-image://<as-written-in-Dockerfile>` → `docker-image://<normalized>@sha256:…`
 
+### HTTP sources (`ADD`)
+
+- Looks at `ADD <url> …` instructions with HTTP/HTTPS URLs.
+- Skips:
+  - `ADD --checksum=… <url>` (already pinned)
+  - URLs containing unexpanded variables (`${VAR}`, `$VAR`)
+- Fetches the checksum and emits `CONVERT` rules with `http.checksum` attribute.
+
+**Optimized checksum fetching** — avoids downloading large files when possible:
+- `raw.githubusercontent.com`: extracts SHA256 from ETag header
+- GitHub releases: uses the API `digest` field (set `GITHUB_TOKEN` for higher rate limits)
+- S3: uses `x-amz-checksum-sha256` response header (by sending `x-amz-checksum-mode: ENABLED`)
+- Fallback: downloads and computes SHA256
+
 ## Development
 
 ```bash
@@ -100,11 +129,12 @@ UPDATE_SNAPS=true go test ./internal/integration/...
 ## Repository layout
 
 - `cmd/container-source-policy/cmd/`: Cobra CLI commands
-- `internal/dockerfile`: Dockerfile parsing (`FROM` extraction)
-- `internal/registry`: registry client (digest resolution)
+- `internal/dockerfile`: Dockerfile parsing (`FROM` and `ADD` extraction)
+- `internal/registry`: registry client (image digest resolution)
+- `internal/http`: HTTP client (URL checksum fetching with optimizations)
 - `internal/policy`: BuildKit source policy types and JSON output
 - `internal/pin`: orchestration logic for `pin`
-- `internal/integration`: end-to-end tests with a mock registry and snapshots
+- `internal/integration`: end-to-end tests with mock registry/HTTP server and snapshots
 - `packaging/`: wrappers for publishing prebuilt binaries to npm / PyPI / RubyGems
 
 ## Packaging

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "container-source-policy",
-  "version": "0.1.3",
+  "version": "0.2.0",
   "description": "Generate Buildx container source policy file for a given Dockerfile",
   "repository": {
     "type": "git",
@@ -28,13 +28,13 @@
   },
   "homepage": "https://github.com/tinovyatkin/container-source-policy#readme",
   "optionalDependencies": {
-    "container-source-policy-darwin-arm64": "0.1.3",
-    "container-source-policy-darwin-x64": "0.1.3",
-    "container-source-policy-linux-arm64": "0.1.3",
-    "container-source-policy-linux-x64": "0.1.3",
-    "container-source-policy-windows-arm64": "0.1.3",
-    "container-source-policy-windows-x64": "0.1.3",
-    "container-source-policy-freebsd-x64": "0.1.3"
+    "container-source-policy-darwin-arm64": "0.2.0",
+    "container-source-policy-darwin-x64": "0.2.0",
+    "container-source-policy-linux-arm64": "0.2.0",
+    "container-source-policy-linux-x64": "0.2.0",
+    "container-source-policy-windows-arm64": "0.2.0",
+    "container-source-policy-windows-x64": "0.2.0",
+    "container-source-policy-freebsd-x64": "0.2.0"
   },
   "scripts": {
     "postinstall": "node postinstall.js"