manifest

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 13, 2026 License: MIT Imports: 10 Imported by: 0

Documentation

Overview

Package manifest reads and validates pin.yaml.

Index

Constants

View Source 
const (
	ForgeGitHub    = "github"
	ForgeGitLab    = "gitlab"
	ForgeGitea     = "gitea"
	ForgeCodeberg  = "codeberg"
	ForgeBitbucket = "bitbucket"
	ForgeGit       = "git"
)
View Source 
const DefaultMinReleaseAge = 48 * time.Hour

DefaultMinReleaseAge: 48h catches most malicious npm publishes (typically detected within 24–48h) while keeping the bleeding-edge lag bounded. Opt out per entry or globally with `min_release_age: 0`.

Variables

This section is empty.

Functions

func AddEntry 

func AddEntry(in io.Reader, out io.Writer, e Entry) error

AddEntry inserts a new asset at its alphabetic position by name. Comments and surrounding YAML are preserved via the Node API.

func BoolValue 

func BoolValue(b *bool) bool

func RemoveEntry 

func RemoveEntry(in io.Reader, out io.Writer, name string) error

RemoveEntry removes the named asset, preserving comments and surrounding YAML.

Types

type Duration 

type Duration time.Duration

Duration unmarshals from a YAML string like "48h", "30m", or "0".

func (*Duration) UnmarshalYAML 

func (d *Duration) UnmarshalYAML(node *yaml.Node) error

type Entry 

type Entry struct {
	Name           string    `yaml:"name"`
	Version        string    `yaml:"version"`
	RawSource      string    `yaml:"source"`
	Files          []string  `yaml:"files"`
	Format         string    `yaml:"format"`
	MinReleaseAge  *Duration `yaml:"min_release_age"`
	Trust          *Trust    `yaml:"trust"`
	StripSourcemap bool      `yaml:"strip_sourcemap"`

	// RegistryURL overrides the default npm registry for this entry.
	// Honoured by the npm source kind; encoded as a `repository_url`
	// qualifier on the resolved purl so it round-trips into pin.lock.
	RegistryURL string `yaml:"registry_url"`
	// contains filtered or unexported fields
}

func (*Entry) PURL 

func (e *Entry) PURL(resolvedVersion string) *purl.PURL

PURL returns the canonical purl for this entry. 

npm:   pkg:npm/[%40scope/]name@version[?repository_url=...]
forge: pkg:{forge}/owner/repo@version
url:   pkg:generic/name@version?download_url=...

func (*Entry) Slug 

func (e *Entry) Slug() string

func (*Entry) Source 

func (e *Entry) Source() Source

type Layout 

type Layout string
const (
	LayoutNested Layout = "nested"
	LayoutFlat   Layout = "flat"
)

type Manifest 

type Manifest struct {
	Out           string    `yaml:"out"`
	Layout        Layout    `yaml:"layout"`
	MinReleaseAge *Duration `yaml:"min_release_age"`
	Trust         *Trust    `yaml:"trust"`
	Assets        []Entry   `yaml:"assets"`
}

func Read 

func Read(r io.Reader) (*Manifest, error)

func (*Manifest) Cooldown 

func (m *Manifest) Cooldown() *cooldown.Config

Cooldown builds a cooldown.Config from the manifest's min_release_age. Default falls back to DefaultMinReleaseAge. Per-entry overrides become Packages entries keyed by the entry's package purl without a version.

func (*Manifest) EffectiveTrust 

func (m *Manifest) EffectiveTrust(e *Entry) Trust

EffectiveTrust: per-entry scalars override manifest scalars; TrustedWorkflows merges across both, deduped.

type Source 

type Source struct {
	Kind  SourceKind
	Forge string
	Host  string
	Owner string
	Repo  string
	URL   string
}

func ParseSource 

func ParseSource(s string) (Source, error)

type SourceKind 

type SourceKind string
const (
	SourceNPM   SourceKind = "npm"
	SourceForge SourceKind = "forge"
	SourceURL   SourceKind = "url"
)

type Trust 

type Trust struct {
	RequireProvenance                 *bool    `yaml:"require_provenance"`
	RequirePublisherMatchesRepository *bool    `yaml:"require_publisher_matches_repository"`
	TrustedWorkflows                  []string `yaml:"trusted_workflows"`
}

Trust. Nil pointers let the manifest default propagate; nil TrustedWorkflows means "inherit from parent" rather than "empty".

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.