drayage 0.2.6__tar.gz

drayage-0.2.6/.dockerignore

@@ -0,0 +1,17 @@
+.git
+.github
+.pre-commit-config.yaml
+target
+target2
+dist
+build
+.venv
+__pycache__
+*.pyc
+*.pyo
+*.pyd
+.DS_Store
+cache
+certs
+registry
+config.toml

drayage-0.2.6/.github/dependabot.yml

@@ -0,0 +1,21 @@
+version: 2
+updates:
+  - package-ecosystem: cargo
+    directory: /
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly

drayage-0.2.6/.github/workflows/ci.yml

@@ -0,0 +1,61 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt, clippy
+
+      - name: Run linting
+        run: make lint
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Run tests
+        run: make test
+
+  docker-build:
+    name: Docker Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build container image
+        run: make docker-build
+
+  all-checks-passed:
+    name: All checks passed
+    runs-on: ubuntu-latest
+    needs: [lint, test, docker-build]
+    if: always()
+    steps:
+      - name: Verify all checks passed
+        run: |
+          if [ "${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}" == "true" ]; then
+            echo "Some checks failed or were cancelled"
+            exit 1
+          fi
+          echo "All checks passed"

drayage-0.2.6/.github/workflows/live-validation.yml

@@ -0,0 +1,45 @@
+name: Live Validation
+
+on:
+  workflow_dispatch:
+    inputs:
+      run_real_registry:
+        description: "Run live upstream registry tests"
+        type: boolean
+        default: true
+      run_oci_pull_conformance:
+        description: "Run OCI pull conformance"
+        type: boolean
+        default: true
+  schedule:
+    - cron: "17 3 * * *"
+
+concurrency:
+  group: live-validation
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  real-registry:
+    if: ${{ github.event_name != 'workflow_dispatch' || inputs.run_real_registry }}
+    uses: ./.github/workflows/real-registry.yml
+
+  oci-pull-conformance:
+    if: ${{ github.event_name != 'workflow_dispatch' || inputs.run_oci_pull_conformance }}
+    uses: ./.github/workflows/oci-conformance.yml
+
+  all-checks-passed:
+    name: Live validation passed
+    runs-on: ubuntu-latest
+    needs: [real-registry, oci-pull-conformance]
+    if: always()
+    steps:
+      - name: Verify scheduled validation jobs
+        run: |
+          if [ "${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}" = "true" ]; then
+            echo "One or more live validation jobs failed or were cancelled"
+            exit 1
+          fi
+          echo "Live validation jobs completed successfully"

drayage-0.2.6/.github/workflows/oci-conformance.yml

@@ -0,0 +1,101 @@
+name: OCI Pull Conformance
+
+on:
+  workflow_dispatch:
+  workflow_call:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: oci-pull-conformance-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pull:
+    name: Pull Conformance
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Build Drayage
+        run: cargo build --locked
+
+      - name: Prepare conformance config
+        run: |
+          mkdir -p /tmp/drayage-conformance-cache
+          cat > /tmp/drayage-conformance.toml <<'EOF'
+          listen = "127.0.0.1:5001"
+          cache_dir = "/tmp/drayage-conformance-cache"
+          manifest_ttl_seconds = 900
+          negative_ttl_seconds = 60
+          connect_timeout_secs = 10
+          read_timeout_secs = 30
+
+          [upstreams.registry_k8s_io]
+          registry = "https://registry.k8s.io"
+          EOF
+
+      - name: Start Drayage
+        run: |
+          target/debug/drayage serve --config /tmp/drayage-conformance.toml --log-json \
+            > /tmp/drayage-conformance.log 2>&1 &
+          echo $! > /tmp/drayage-conformance.pid
+
+      - name: Wait for readiness
+        run: |
+          for _ in $(seq 1 60); do
+            if curl -fsS http://127.0.0.1:5001/readyz >/dev/null; then
+              exit 0
+            fi
+            sleep 1
+          done
+          cat /tmp/drayage-conformance.log
+          exit 1
+
+      - name: Resolve pull fixture
+        id: fixture
+        run: |
+          python3 scripts/resolve_oci_pull_fixture.py \
+            --root-url http://127.0.0.1:5001 \
+            --namespace registry.k8s.io/pause \
+            --reference 3.9 >> "$GITHUB_OUTPUT"
+
+      - name: Run official OCI Distribution pull conformance
+        uses: opencontainers/distribution-spec@v1.1.1
+        env:
+          OCI_ROOT_URL: http://127.0.0.1:5001
+          OCI_NAMESPACE: registry.k8s.io/pause
+          OCI_TAG_NAME: 3.9
+          OCI_MANIFEST_DIGEST: ${{ steps.fixture.outputs.manifest_digest }}
+          OCI_BLOB_DIGEST: ${{ steps.fixture.outputs.blob_digest }}
+          OCI_TEST_PULL: 1
+          OCI_HIDE_SKIPPED_WORKFLOWS: 1
+          OCI_DEBUG: 0
+          OCI_REPORT_DIR: ${{ github.workspace }}/oci-conformance-results
+
+      - name: Upload conformance artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: oci-pull-conformance-report
+          path: |
+            oci-conformance-results/junit.xml
+            oci-conformance-results/report.html
+          if-no-files-found: warn
+          retention-days: 14
+
+      - name: Print Drayage log
+        if: always()
+        run: cat /tmp/drayage-conformance.log
+
+      - name: Stop Drayage
+        if: always()
+        run: |
+          if [ -f /tmp/drayage-conformance.pid ]; then
+            kill "$(cat /tmp/drayage-conformance.pid)" || true
+          fi

drayage-0.2.6/.github/workflows/real-registry.yml

@@ -0,0 +1,39 @@
+name: Real Registry Live Tests
+
+on:
+  workflow_dispatch:
+  workflow_call:
+
+concurrency:
+  group: real-registry-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  real-registry:
+    name: Real Registry
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Run live registry tests
+        run: |
+          mkdir -p live-test-artifacts
+          set -o pipefail
+          cargo test --locked --test real_registry -- --ignored --test-threads=1 \
+            2>&1 | tee live-test-artifacts/real-registry.log
+
+      - name: Upload live registry artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: real-registry-log
+          path: live-test-artifacts/real-registry.log
+          if-no-files-found: warn
+          retention-days: 14

drayage-0.2.6/.github/workflows/release.yml

@@ -0,0 +1,270 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: "Dry run (skip publishing)"
+        type: boolean
+        default: true
+      skip_crates_io:
+        description: "Skip crates.io publish"
+        type: boolean
+        default: false
+      skip_pypi:
+        description: "Skip PyPI publish"
+        type: boolean
+        default: false
+
+permissions:
+  contents: write
+  packages: write
+
+concurrency:
+  group: release
+  cancel-in-progress: false
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Run tests
+        run: make test
+
+  real-registry:
+    name: Real Registry
+    uses: ./.github/workflows/real-registry.yml
+
+  oci-pull-conformance:
+    name: OCI Pull Conformance
+    uses: ./.github/workflows/oci-conformance.yml
+
+  build-wheels:
+    name: Build wheel (${{ matrix.target }})
+    needs: [test, real-registry, oci-pull-conformance]
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        include:
+          - target: x86_64-unknown-linux-gnu
+            os: ubuntu-latest
+            manylinux: manylinux_2_28
+          - target: aarch64-unknown-linux-gnu
+            os: ubuntu-latest
+            manylinux: manylinux_2_28
+          - target: x86_64-apple-darwin
+            os: macos-14
+          - target: aarch64-apple-darwin
+            os: macos-14
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build wheel
+        uses: PyO3/maturin-action@v1
+        id: build
+        continue-on-error: true
+        with:
+          target: ${{ matrix.target }}
+          args: --release --strip --out dist
+          manylinux: ${{ matrix.manylinux || 'auto' }}
+
+      - name: Retry build wheel
+        if: steps.build.outcome == 'failure'
+        uses: PyO3/maturin-action@v1
+        with:
+          target: ${{ matrix.target }}
+          args: --release --strip --out dist
+          manylinux: ${{ matrix.manylinux || 'auto' }}
+        env:
+          CARGO_INCREMENTAL: "0"
+
+      - name: Upload wheel
+        uses: actions/upload-artifact@v4
+        with:
+          name: wheel-${{ matrix.target }}
+          path: dist/*.whl
+
+  sdist:
+    name: Build source distribution
+    needs: [test, real-registry, oci-pull-conformance]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build sdist
+        uses: PyO3/maturin-action@v1
+        with:
+          command: sdist
+          args: --out dist
+
+      - name: Upload sdist
+        uses: actions/upload-artifact@v4
+        with:
+          name: sdist
+          path: dist/*.tar.gz
+
+  container:
+    name: Build container image
+    needs: [test, real-registry, oci-pull-conformance]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        if: ${{ inputs.dry_run != true && startsWith(github.ref, 'refs/tags/v') }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=raw,value=dry-run,enable=${{ !startsWith(github.ref, 'refs/tags/v') }}
+
+      - name: Build and optionally push image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ inputs.dry_run != true && startsWith(github.ref, 'refs/tags/v') }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  release:
+    name: Publish
+    needs: [build-wheels, sdist, container]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Download wheel artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: wheel-*
+          path: ${{ runner.temp }}/artifacts
+
+      - name: Download sdist artifact
+        uses: actions/download-artifact@v4
+        with:
+          pattern: sdist
+          path: ${{ runner.temp }}/artifacts
+
+      - name: Publish to crates.io
+        if: ${{ inputs.dry_run != true && inputs.skip_crates_io != true }}
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+        run: cargo publish --locked
+
+      - name: Collect PyPI artifacts
+        if: ${{ inputs.dry_run != true && inputs.skip_pypi != true }}
+        run: |
+          mkdir -p ${{ runner.temp }}/pypi-dist
+          cp ${{ runner.temp }}/artifacts/wheel-*/*.whl ${{ runner.temp }}/pypi-dist/
+          cp ${{ runner.temp }}/artifacts/sdist/*.tar.gz ${{ runner.temp }}/pypi-dist/
+
+      - name: Publish to PyPI
+        if: ${{ inputs.dry_run != true && inputs.skip_pypi != true }}
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          password: ${{ secrets.PYPI_API_TOKEN }}
+          packages-dir: ${{ runner.temp }}/pypi-dist/
+
+      - name: Create GitHub Release
+        if: ${{ inputs.dry_run != true && startsWith(github.ref, 'refs/tags/v') }}
+        uses: softprops/action-gh-release@v2
+        with:
+          generate_release_notes: true
+          files: |
+            ${{ runner.temp }}/artifacts/wheel-*/*.whl
+            ${{ runner.temp }}/artifacts/sdist/*.tar.gz
+
+      - name: Dry run summary
+        if: ${{ inputs.dry_run == true }}
+        run: |
+          echo "Dry run - would have published:"
+          find "$RUNNER_TEMP/artifacts" -type f | sort
+
+  verify:
+    name: Verify
+    needs: [release]
+    if: ${{ inputs.dry_run != true && startsWith(github.ref, 'refs/tags/v') }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Verify crates.io
+        if: ${{ inputs.skip_crates_io != true }}
+        run: |
+          version="${GITHUB_REF_NAME#v}"
+          for attempt in 1 2 3 4 5; do
+            status=$(curl -s -o /dev/null -w '%{http_code}' \
+              -H "User-Agent: drayage-release-verify" \
+              "https://crates.io/api/v1/crates/drayage/${version}")
+            if [ "$status" = "200" ]; then
+              echo "drayage ${version} verified on crates.io (attempt ${attempt})"
+              exit 0
+            fi
+            echo "Attempt ${attempt}: crates.io returned HTTP ${status}, retrying in 15s..."
+            sleep 15
+          done
+          echo "::error::drayage ${version} not found on crates.io after 5 attempts"
+          exit 1
+
+      - name: Verify PyPI
+        if: ${{ inputs.skip_pypi != true }}
+        run: |
+          version="${GITHUB_REF_NAME#v}"
+          for attempt in 1 2 3 4 5; do
+            status=$(curl -s -o /dev/null -w '%{http_code}' \
+              "https://pypi.org/pypi/drayage/${version}/json")
+            if [ "$status" = "200" ]; then
+              echo "drayage ${version} verified on PyPI (attempt ${attempt})"
+              exit 0
+            fi
+            echo "Attempt ${attempt}: PyPI returned HTTP ${status}, retrying in 15s..."
+            sleep 15
+          done
+          echo "::error::drayage ${version} not found on PyPI after 5 attempts"
+          exit 1
+
+      - name: Verify GHCR
+        run: |
+          version="${GITHUB_REF_NAME#v}"
+          for attempt in 1 2 3 4 5; do
+            token=$(curl -s "https://ghcr.io/token?scope=repository:rvben/drayage:pull" | jq -r .token)
+            status=$(curl -s -o /dev/null -w '%{http_code}' \
+              -H "Authorization: Bearer ${token}" \
+              -H "Accept: application/vnd.oci.image.index.v1+json" \
+              "https://ghcr.io/v2/rvben/drayage/manifests/${version}")
+            if [ "$status" = "200" ]; then
+              echo "drayage ${version} verified on GHCR (attempt ${attempt})"
+              exit 0
+            fi
+            echo "Attempt ${attempt}: GHCR returned HTTP ${status}, retrying in 15s..."
+            sleep 15
+          done
+          echo "::error::drayage ${version} not found on GHCR after 5 attempts"
+          exit 1

drayage-0.2.6/.gitignore

@@ -0,0 +1,4 @@
+/target
+/target2
+/registry
+/oci-conformance-results

drayage-0.2.6/.pre-commit-config.yaml

@@ -0,0 +1,78 @@
+fail_fast: true
+
+repos:
+  # Secret detection
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.30.0
+    hooks:
+      - id: gitleaks
+
+  # Conventional Commits validation
+  - repo: https://github.com/compilerla/conventional-pre-commit
+    rev: v3.6.0
+    hooks:
+      - id: conventional-pre-commit
+        stages: [commit-msg]
+
+  # Rust formatting and linting
+  - repo: local
+    hooks:
+      - id: cargo-fmt
+        name: cargo fmt
+        entry: cargo fmt --all --
+        language: system
+        types: [rust]
+        pass_filenames: false
+
+      - id: cargo-clippy
+        name: cargo clippy
+        entry: cargo clippy -- -D warnings
+        language: system
+        types: [rust]
+        pass_filenames: false
+
+      - id: cargo-lock-check
+        name: check Cargo.lock is up-to-date
+        entry: sh -c 'cargo metadata --locked --format-version 1 --no-deps >/dev/null'
+        language: system
+        files: ^Cargo\.(toml|lock)$
+        pass_filenames: false
+
+  # General file quality checks
+  - repo: builtin
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-toml
+      - id: check-merge-conflict
+      - id: check-case-conflict
+      - id: mixed-line-ending
+        args: [--fix=lf]
+
+  # Pre-push hooks
+  - repo: local
+    hooks:
+      - id: cargo-test
+        name: cargo test
+        entry: make test
+        language: system
+        types: [rust]
+        pass_filenames: false
+        stages: [pre-push]
+
+      - id: cargo-lint
+        name: cargo clippy (all targets)
+        entry: make lint
+        language: system
+        types: [rust]
+        pass_filenames: false
+        stages: [pre-push]
+
+      - id: cargo-lock-check-push
+        name: verify Cargo.lock is committed and up-to-date
+        entry: sh -c 'cargo metadata --locked --format-version 1 --no-deps >/dev/null'
+        language: system
+        files: ^Cargo\.(toml|lock)$
+        pass_filenames: false
+        stages: [pre-push]