Documentation
¶
Overview ¶
Package lane defines the pipeline schema, DAG construction, and execution state for strike lanes.
Index ¶
- func FormatValidationError(err error) error
- func ParseDuration(d Duration, defaultVal clock.Duration) (clock.Duration, error)
- func ResolveSecrets(refs []SecretRef, sources map[string]SecretSource, root *os.Root) (map[string]SecretString, error)
- func ValidatePaths(p *Lane) error
- type DAG
- type DeployArtifactEdge
- type DeployMethod
- type Digest
- type ImageFromEdge
- type InputEdge
- type PackFileEdge
- type ProvenanceRecord
- type SecretString
- type State
- func (s *State) CollectProvenance(dag *DAG, fromStep string) []ProvenanceRecord
- func (s *State) JSON() ([]byte, error)
- func (s *State) RecordProvenance(stepName string, rec ProvenanceRecord) error
- func (s *State) RecordStep(r StepResult)
- func (s *State) Register(stepName, outputName string, a Artifact) error
- func (s *State) Resolve(ref string) (Artifact, error)
- type StepResult
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FormatValidationError ¶
FormatValidationError flattens a cue.Error tree into a deduplicated multi-line string, dropping the "N errors in empty disjunction" aggregate markers that hide the underlying sub-errors.
Returns nil if err is nil. Returns the original err if it is not a cue.Error (for example, a plain extraction error from cuejson.Extract before any schema unification ran).
Stage 1: aggregates and dedupes. Per-branch filtering using the discriminator value is deferred to stage 2.
func ParseDuration ¶
ParseDuration converts a lane duration string ("30s", "5m", "1h") to clock.Duration. Returns defaultVal if d is empty.
func ResolveSecrets ¶
func ResolveSecrets(refs []SecretRef, sources map[string]SecretSource, root *os.Root) (map[string]SecretString, error)
ResolveSecrets resolves all secret references to their values. File secrets are resolved through the lane root scope.
func ValidatePaths ¶
func ValidatePaths(p *Lane) error
ValidatePaths rejects unsafe paths in outputs and pack dests. Defense-in-depth -- os.Root enforces at runtime, but rejecting early produces better error messages.
outputs[].path and pack.files[].dest are container-internal paths (e.g., /src/node_modules, /usr/bin/strike). They must be absolute and canonical (no ".." components).
Types ¶
type DAG ¶
type DAG struct {
Steps map[string]*Step
InputEdges map[string][]InputEdge // key: consuming step name
PackFileEdges map[string][]PackFileEdge
DeployEdges map[string][]DeployArtifactEdge
ImageFromEdges map[string]ImageFromEdge // one per step, if any
Order []string
// contains filtered or unexported fields
}
DAG is the directed acyclic graph of step dependencies in a lane.
func (*DAG) CollectPeers ¶
CollectPeers returns peer declarations for fromStep and all its transitive predecessors, keyed by step name. Steps without declared peers are omitted from the result. Used by deploy attestation to record the full network exposure of the build chain. Nil-safe: callers may invoke this on a nil receiver and receive a non-nil empty map (matching the schema requirement that Attestation.peers be a present map).
type DeployArtifactEdge ¶
type DeployArtifactEdge struct {
FromStep *Step
FromOutput *OutputSpec
ArtifactName string
}
DeployArtifactEdge is a fully resolved step.deploy.artifacts[name] entry.
type DeployMethod ¶
type DeployMethod interface {
// MethodType returns the discriminator ("kubernetes", "registry", "custom").
MethodType() string
}
DeployMethod is the interface implemented by all deploy method types (DeployKubernetes, DeployRegistry, DeployCustom). The CUE disjunction is annotated @go(-) so the generator skips it; this hand-written interface provides the Go-side discriminated union, parallel to ProvenanceRecord.
type Digest ¶
type Digest struct {
Algorithm string // hash function name, e.g. "sha256"
Hex string // hex-encoded hash value
}
Digest is a content-addressed hash with explicit algorithm and hex fields. The structured representation makes it possible to validate digest values and to ban or require specific hash functions.
JSON wire format remains "algorithm:hex" (e.g. "sha256:abcdef...") for compatibility with the CUE schema (#Digest: =~"^sha256:[a-f0-9]{64}$").
func DirDigestWithSize ¶
DirDigestWithSize computes the sha256 digest and total file size of a directory tree within the given root scope. Size is the sum of regular file sizes (matching du -sb behavior).
func MustParseDigest ¶
MustParseDigest parses a digest string, panicking on invalid input. Use only for known-good values and test fixtures.
func ParseDigest ¶
ParseDigest parses a digest string of the form "algorithm:hex".
func (Digest) MarshalText ¶
MarshalText implements encoding.TextMarshaler for transparent JSON serialization as a plain string ("sha256:hex").
func (*Digest) UnmarshalText ¶
UnmarshalText implements encoding.TextUnmarshaler for transparent JSON deserialization from a plain string ("sha256:hex").
type ImageFromEdge ¶
type ImageFromEdge struct {
FromStep *Step
FromOutput *OutputSpec
}
ImageFromEdge is a fully resolved step.image_from.
type InputEdge ¶
type InputEdge struct {
FromStep *Step
FromOutput *OutputSpec
LocalName string // == InputRef.Name
Mount ContainerPath // == InputRef.Mount
}
InputEdge is a fully resolved step.inputs[i] entry. FromStep and FromOutput are guaranteed non-nil by Build.
type PackFileEdge ¶
type PackFileEdge struct {
FromStep *Step
FromOutput *OutputSpec
Dest ContainerPath // == PackFile.Dest
}
PackFileEdge is a fully resolved step.pack.files[i] entry.
type ProvenanceRecord ¶
type ProvenanceRecord interface {
// ProvenanceType returns the discriminator ("git", "tarball", "oci", "url").
ProvenanceType() string
// IsSigned returns true when the record carries a verified signature.
IsSigned() bool
}
ProvenanceRecord is the interface implemented by all provenance record types (GitProvenanceRecord, TarballProvenanceRecord, OCIProvenanceRecord, URLProvenanceRecord). The CUE disjunction is annotated @go(-) so the generator skips it; this hand-written interface provides the Go-side discriminated union.
func ValidateProvenance ¶
func ValidateProvenance(declaredType string, raw []byte) (ProvenanceRecord, error)
ValidateProvenance parses raw JSON, validates it against the CUE schema for the declared type, and returns the typed ProvenanceRecord.
type SecretString ¶
type SecretString struct {
// contains filtered or unexported fields
}
SecretString holds a sensitive value that is redacted in all string representations. This prevents accidental leakage through logging, JSON serialization, and error messages.
func NewSecretString ¶
func NewSecretString(value string) SecretString
NewSecretString wraps a plaintext value.
func ReadSecret ¶
func ReadSecret(source SecretSource, root *os.Root) (SecretString, error)
ReadSecret reads a secret value from the source URI (env:// or file://). File secrets are resolved through the lane root scope.
func (SecretString) Expose ¶
func (s SecretString) Expose() string
Expose returns the plaintext value. Call only when passing to a container environment variable or a cryptographic operation.
func (SecretString) GoString ¶
func (s SecretString) GoString() string
GoString implements fmt.GoStringer. Always returns [REDACTED].
func (SecretString) MarshalJSON ¶
func (s SecretString) MarshalJSON() ([]byte, error)
MarshalJSON implements json.Marshaler. Always returns "[REDACTED]".
func (SecretString) MarshalText ¶
func (s SecretString) MarshalText() ([]byte, error)
MarshalText implements encoding.TextMarshaler. Always returns [REDACTED].
func (SecretString) String ¶
func (s SecretString) String() string
String implements fmt.Stringer. Always returns [REDACTED].
type State ¶
type State struct {
Artifacts map[string]Artifact `json:"artifacts"`
Steps map[string]StepResult `json:"steps"`
Provenance map[string]ProvenanceRecord `json:"provenance"`
// contains filtered or unexported fields
}
State tracks artifacts and step results across lane execution. All artifact references use "step_name.output_name" keys.
func (*State) CollectProvenance ¶
func (s *State) CollectProvenance(dag *DAG, fromStep string) []ProvenanceRecord
CollectProvenance walks the DAG backwards from fromStep and returns all provenance records of transitive predecessors, sorted by step name for deterministic attestation output.
func (*State) RecordProvenance ¶
func (s *State) RecordProvenance(stepName string, rec ProvenanceRecord) error
RecordProvenance stores a validated provenance record for a step.
func (*State) RecordStep ¶
func (s *State) RecordStep(r StepResult)
RecordStep stores the result of a completed step.
type StepResult ¶
type StepResult struct {
StartedAt clock.Time `json:"started_at"`
Inputs map[string]string `json:"inputs"`
Outputs map[string]string `json:"outputs"`
Name string `json:"name"`
StepType string `json:"step_type"`
Duration clock.Duration `json:"duration"`
ExitCode int `json:"exit_code"`
}
StepResult records execution metadata for a completed step.
Source Files