diff --git a/.github/workflows/go-base-amd64.yaml b/.github/workflows/go-base-amd64.yaml new file mode 100644 index 0000000..4619246 --- /dev/null +++ b/.github/workflows/go-base-amd64.yaml @@ -0,0 +1,215 @@ +name: go-base +env: + image_tag: v1 + REGISTRY: ghcr.io + owner: buildsafedev + runtime_image: go-base-runtime + dev_image: go-base-dev + final_image: go-final + final_arm64_image: go-final-arm64 + final_amd64_image: go-final-amd64 + +on: + push: + +jobs: + prepare-go-dev: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Run Prepare Action + uses: buildsafedev/multiarch-build--action/prepare-action@main + with: + oci_registry_username: ${{ env.owner}} + oci_registry_password: ${{ secrets.GITHUB_TOKEN }} + image_name: ${{ env.owner }}/${{ env.dev_image }} + ociBlock: go-dev + tag: ${{ env.image_tag }} + + prepare-go-runtime: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Run Prepare Action + uses: buildsafedev/multiarch-build--action/prepare-action@main + with: + oci_registry_username: ${{ env.owner }} + oci_registry_password: ${{ secrets.GITHUB_TOKEN }} + image_name: ${{ env.owner }}/${{ env.runtime_image }} + ociBlock: go-runtime + tag: ${{ env.image_tag }} + + build: + needs: [prepare-go-dev, prepare-go-runtime] + strategy: + fail-fast: false + matrix: + platform: [ubuntu-latest] + runs-on: ${{ matrix.platform }} + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Run Build Action + uses: buildsafedev/multiarch-build--action/build-action@main + with: + oci_registry_username: ${{ env.owner }} + oci_registry_password: ${{ secrets.GITHUB_TOKEN }} + ociBlocks: go-dev go-runtime + directory: "go-server-example" + registry: ghcr.io + + hermetic_builds: + runs-on: ubuntu-latest + needs: build + outputs: + amd64_digest: ${{ steps.build_amd64.outputs.digest }} + permissions: + id-token: write + packages: write + contents: read + attestations: write + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{env.owner}} + password: ${{secrets.GITHUB_TOKEN}} + + - name: Download meta bake definition + uses: actions/download-artifact@v4 + with: + name: bake-meta-${{ format('go-dev', 'go-runtime') }} + path: /tmp + + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: /tmp/digests + pattern: digests-* + merge-multiple: true + + - name: Verify digest files after download + shell: bash + run: | + echo "Downloaded digest files:" + - name: Build hermetic image amd64 + id: build_amd64 + working-directory: go-server-example + run: | + base_img_digest=$(printf "sha256:%s" "$(basename /tmp/digests/go-dev/*)") + runtime_img_digest=$(printf "sha256:%s" "$(basename /tmp/digests/go-runtime/*)") + docker buildx create --name mybuilder --use --driver docker-container + docker buildx build \ + --build-arg BASE_IMAGE=${{ env.REGISTRY }}/${{ env.owner }}/${{ env.dev_image }}@${base_img_digest} \ + --build-arg RUNTIME_IMAGE=${{ env.REGISTRY }}/${{ env.owner }}/${{ env.runtime_image }}@${runtime_img_digest} \ + --no-cache \ + --tag ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.final_amd64_image }}:${{ env.image_tag }} \ + --network=none \ + --attest type=provenance,mode=min \ + --platform=linux/amd64 \ + --push \ + --output type=image \ + https://github.com/buildsafedev/examples.git\#multiarch-builds:go-server-example + # Get the digest of the built image + amd64_digest=$(docker manifest inspect ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.final_amd64_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + echo "digest=$amd64_digest" >> $GITHUB_OUTPUT + artifact: + runs-on: ubuntu-latest + needs: hermetic_builds + permissions: + id-token: write + packages: write + contents: read + attestations: write + steps: + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{env.owner}} + password: ${{secrets.GITHUB_TOKEN}} + + - name: Attest-amd64 + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }} + subject-digest: ${{ needs.hermetic_builds.outputs.amd64_digest }} + push-to-registry: true + + scan_image: + needs: artifact + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@main + + - name: Setup Nix development environment + uses: nicknovitski/nix-develop@v1 + with: + arguments: ./go-server-example/bsf/.#devShell + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{env.owner}} + password: ${{secrets.GITHUB_TOKEN}} + + - name: Is hermetic build + run: | + docker buildx imagetools inspect ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}:${{ env.image_tag }} --format "{{ json .Provenance.SLSA }}" > slsa.json + cat slsa.json + if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then + echo "Hermetic build" + else + echo "Not a hermetic build" + exit 1 + fi + + - name: Check for vulnerabilities + run: grype ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}:${{ env.image_tag }} --only-fixed --fail-on low + + + sign_image: + needs: scan_image + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + steps: + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{env.owner}} + password: ${{secrets.GITHUB_TOKEN}} + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Sign and push image + env: + COSIGN_EXPERIMENTAL: "true" + run: | + final_img_digest=$(docker manifest inspect ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + cosign sign --yes ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}@${final_img_digest} + + \ No newline at end of file diff --git a/.github/workflows/go-base.yaml b/.github/workflows/go-base.yaml index 3d13e81..998d246 100644 --- a/.github/workflows/go-base.yaml +++ b/.github/workflows/go-base.yaml @@ -1,4 +1,14 @@ name: go-base +env : + image_tag: v1 + REGISTRY: ghcr.io + owner : buildsafedev + runtime_image: go-base-runtime + dev_image: go-base-dev + final_image: go-final + final_arm64_image: go-final-arm64 + final_amd64_image: go-final-amd64 + on: push: @@ -12,11 +22,11 @@ jobs: - name: Run Prepare Action uses: buildsafedev/multiarch-build--action/prepare-action@main with: - oci_registry_username: ${{ secrets.DOCKER_USERNAME }} - oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} - image_name: holiodin01/go-base-dev + oci_registry_username: ${{ env.owner}} + oci_registry_password: ${{ secrets.GITHUB_TOKEN }} + image_name: ${{ env.owner }}/${{ env.dev_image }} ociBlock: go-dev - tag: v0.1.0 + tag: ${{ env.image_tag }} prepare-go-runtime: runs-on: ubuntu-latest @@ -26,12 +36,13 @@ jobs: - name: Run Prepare Action uses: buildsafedev/multiarch-build--action/prepare-action@main with: - oci_registry_username: ${{ secrets.DOCKER_USERNAME }} - oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} - image_name: holiodin01/go-base-runtime + oci_registry_username: ${{ env.owner }} + oci_registry_password: ${{ secrets.GITHUB_TOKEN }} + image_name: ${{ env.owner }}/${{ env.runtime_image }} ociBlock: go-runtime - tag: v0.1.0 + tag: ${{ env.image_tag }} + # Build the oci images for dev and runtime build: needs : [prepare-go-dev, prepare-go-runtime] strategy: @@ -46,11 +57,13 @@ jobs: - name: Run Build Action uses: buildsafedev/multiarch-build--action/build-action@main with: - oci_registry_username: ${{ secrets.DOCKER_USERNAME }} - oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} + oci_registry_username: ${{ env.owner }} + oci_registry_password: ${{ secrets.GITHUB_TOKEN }} ociBlocks: go-dev go-runtime directory: 'go-server-example' + registry: ghcr.io + # This pirticular job is used to merge the development image of arm64 and amd64 merge-dev: needs: build runs-on: ubuntu-latest @@ -61,11 +74,12 @@ jobs: - name: Run Merge Action uses: buildsafedev/multiarch-build--action/merge-action@main with: - oci_registry_username: ${{ secrets.DOCKER_USERNAME }} - oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} - image_name: holiodin01/go-base-dev + oci_registry_username: ${{ env.owner }} + oci_registry_password: ${{ secrets.GITHUB_TOKEN }} + image_name: ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.dev_image }} ociBlock: go-dev - tag: v0.1.0 + tag: ${{ env.image_tag }} + registry: ghcr.io merge-runtime: needs: build runs-on: ubuntu-latest @@ -76,8 +90,276 @@ jobs: - name: Run Merge Action uses: buildsafedev/multiarch-build--action/merge-action@main with: - oci_registry_username: ${{ secrets.DOCKER_USERNAME }} - oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} - image_name: holiodin01/go-base-runtime + oci_registry_username: ${{ env.owner }} + oci_registry_password: ${{ secrets.GITHUB_TOKEN }} + image_name: ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.runtime_image }} ociBlock: go-runtime - tag: v0.1.0 \ No newline at end of file + tag: ${{ env.image_tag }} + registry: ghcr.io + + sign-base-image: + needs: [merge-dev, merge-runtime] + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{env.owner}} + password: ${{secrets.GITHUB_TOKEN}} + + + - name: Sign and push image + env: + COSIGN_EXPERIMENTAL: "true" + run: | + base_img_digest=$(docker manifest inspect ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.dev_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + runtime_img_digest=$(docker manifest inspect ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.runtime_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + + cosign sign --yes ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.dev_image }}@${base_img_digest} + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/go-base.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.dev_image }}@${base_img_digest} + cosign triangulate ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.dev_image }}@${base_img_digest} + # Sign and verify the runtime image + cosign sign --yes ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.runtime_image }}@${runtime_img_digest} + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/go-base.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.runtime_image }}@${runtime_img_digest} + cosign triangulate ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.runtime_image }}@${runtime_img_digest} + + base_img_digest_arm64=$(docker manifest inspect ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.dev_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "arm64") | .digest') + runtime_img_digest_arm64=$(docker manifest inspect ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.runtime_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "arm64") | .digest') + cosign sign --yes ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.dev_image }}@${base_img_digest_arm64} + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/go-base.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.dev_image }}@${base_img_digest_arm64} + cosign triangulate ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.dev_image }}@${base_img_digest_arm64} + cosign sign --yes ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.runtime_image }}@${runtime_img_digest_arm64} + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/go-base.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.runtime_image }}@${runtime_img_digest_arm64} + cosign triangulate ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.runtime_image }}@${runtime_img_digest_arm64} + + hermetic_builds: + runs-on: ubuntu-latest + needs: [sign-base-image] + permissions: + id-token: write + packages: write + contents: read + attestations: write + outputs: + amd64_digest: ${{ steps.build-amd64.outputs.digest }} + arm64_digest: ${{ steps.build-arm64.outputs.digest }} + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{env.owner}} + password: ${{secrets.GITHUB_TOKEN}} + + - name: Build hermetic image amd64 + id: build-amd64 + working-directory: go-server-example + run: | + base_img_digest=$(docker manifest inspect ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.dev_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + runtime_img_digest=$(docker manifest inspect ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.runtime_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + docker buildx create --name mybuilder --use --driver docker-container + docker buildx build \ + --build-arg BASE_IMAGE=${{ env.REGISTRY }}/${{ env.owner }}/${{ env.dev_image }}@${base_img_digest} \ + --build-arg RUNTIME_IMAGE=${{ env.REGISTRY }}/${{ env.owner }}/${{ env.runtime_image }}@${runtime_img_digest} \ + --no-cache \ + --tag ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.final_amd64_image }}:${{ env.image_tag }} \ + --network=none \ + --attest type=provenance,mode=min \ + --platform=linux/amd64 \ + --push \ + --output type=oci \ + https://github.com/buildsafedev/examples.git\#multiarch-builds:go-server-example + # Get the digest of the built image + amd64_digest=$(docker manifest inspect ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.final_image }}${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + echo "digest=$amd64_digest" >> $GITHUB_OUTPUT + + - name: Build hermetic image arm64 + id: build-arm64 + working-directory: go-server-example + run: | + base_img_digest_arm64=$(docker manifest inspect ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.dev_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "arm64") | .digest') + runtime_img_digest_arm64=$(docker manifest inspect ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.runtime_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "arm64") | .digest') + docker buildx build \ + --build-arg BASE_IMAGE=${{ env.REGISTRY }}/${{ env.owner }}/${{ env.dev_image }}@${base_img_digest_arm64} \ + --build-arg RUNTIME_IMAGE=${{ env.REGISTRY }}/${{ env.owner }}/${{ env.runtime_image }}@${runtime_img_digest_arm64} \ + --no-cache \ + --tag ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.final_arm64_image }}:${{ env.image_tag }} \ + --network=none \ + --attest type=provenance,mode=min \ + --platform=linux/arm64 \ + --push \ + --output type=oci \ + https://github.com/buildsafedev/examples.git\#multiarch-builds:go-server-example + # Get the digest of the built image + arm64_digest=$(docker manifest inspect ${{ env.REGISTRY }}/${{github.actor}}/${{ env.final_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "arm64") | .digest') + echo "digest=$arm64_digest" >> $GITHUB_OUTPUT + + merge-final: + runs-on: ubuntu-latest + needs: hermetic_builds + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{env.owner}} + password: ${{secrets.GITHUB_TOKEN}} + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.final_amd64_image }}:${{ env.image_tag }} + ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.final_arm64_image }}:${{ env.image_tag }} + + - name: Create manifest list and push + run: | + mkdir -p /tmp/digests/go-final + + # Save the digests (you should have them generated earlier in the build process) + echo "${{ needs.hermetic_builds.outputs.amd64_digest }}" > /tmp/digests/go-final/amd64 + echo "${{ needs.hermetic_builds.outputs.arm64_digest }}" > /tmp/digests/go-final/arm64 + + + + # Navigate to the directory with the digests + cd /tmp/digests/go-final + + ls + + cat amd64 + cat arm64 + + # Extract tags from the docker-metadata-action bake file (jq parses the file) + tags=$(jq -cr '.target."docker-metadata-action".tags | map("-t " + .) | join(" ")' ${{ steps.meta.outputs.bake-file }}) + + # Ensure tags were generated + if [[ -z "$tags" ]]; then + echo "ERROR: No tags were generated." + exit 1 + fi + + # Create the multi-arch manifest list using the collected digests + docker buildx imagetools create $tags \ + ${{ env.REGISTRY }}${{ env.owner }}/${{ env.final_image }}@sha256:$(cat amd64) \ + ${{ env.REGISTRY }}${{ env.owner }}/${{ env.final_image }}@sha256:$(cat arm64) + + # Push the manifest to Docker Hub + docker buildx imagetools push ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.final_image }}:${{ env.image_tag }} + + + + + artifact: + runs-on: ubuntu-latest + needs: hermetic_builds + permissions: + id-token: write + packages: write + contents: read + attestations: write + steps: + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{env.owner}} + password: ${{secrets.GITHUB_TOKEN}} + + - name: Attest-amd64 + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{github.actor}}/${{ env.final_image }} + subject-digest: ${{ needs.hermetic_builds.outputs.amd64_digest }} + push-to-registry: true + + - name: Attest-arm64 + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{github.actor}}/${{ env.final_image }} + subject-digest: ${{ needs.hermetic_builds.outputs.arm64_digest }} + push-to-registry: true + + scan_image: + needs: artifact + runs-on: ubuntu-latest + steps: + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@main + + # Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url + - name: Setup Nix development environment + uses: nicknovitski/nix-develop@v1 + with: + arguments: ./go-server-example/bsf/.#devShell + + - name: Is hermetic build + run: | + docker buildx imagetools inspect ${{ env.REGISTRY }}/${{github.actor}}/${{ env.final_image }}:${{ env.image_tag }} --format "{{ json .Provenance.SLSA }}" > slsa.json + cat slsa.json + if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then + echo "Hermetic build" + else + echo "Not a hermetic build" + exit 1 + # Check for vulnerabilities :) + - name: Check for vulnerabilities + run: grype ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_image }}:${{ env.image_tag }} --only-fixed --fail-on low + + + sign-final-image: + needs: scan_image + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{env.owner}} + password: ${{secrets.GITHUB_TOKEN}} + + + - name: Sign and push image + env: + COSIGN_EXPERIMENTAL: "true" + run: | + final_img_digest=$(docker manifest inspect ${{ env.REGISTRY }}/${{github.actor}}/${{ env.final_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + cosign sign --yes ${{ env.REGISTRY }}/${{github.actor}}/${{ env.final_image }}@${final_img_digest} + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/go-base.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_image }}@${final_img_digest} + cosign triangulate ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_image }}@${final_img_digest} diff --git a/.github/workflows/python-base.yaml b/.github/workflows/python-base.yaml index 272a59b..648f963 100644 --- a/.github/workflows/python-base.yaml +++ b/.github/workflows/python-base.yaml @@ -1,4 +1,6 @@ name: python-base +env : + image_tag: v1 on: push: @@ -16,7 +18,7 @@ jobs: oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} image_name: holiodin01/python-base ociBlock: python-dev - tag: v0.1.0 + tag: ${{ env.image_tag }} build: needs: prepare @@ -51,5 +53,142 @@ jobs: oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} image_name: holiodin01/python-base ociBlock: python-dev - tag: v0.1.0 - \ No newline at end of file + tag: ${{ env.image_tag }} + + sign-the-image: + needs: merge + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + + - name: Sign and push image + env: + COSIGN_EXPERIMENTAL: "true" + run: | + + base_img_digest=$(docker manifest inspect holiodin01/python-base:${image_tag} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + cosign sign --yes holiodin01/python-base@${base_img_digest} + + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/python-base.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + holiodin01/python-base@${base_img_digest} + + cosign triangulate holiodin01/python-base@${base_img_digest} + + base_img_digest_arm=$(docker manifest inspect holiodin01/python-base:${image_tag} | jq -r '.manifests[] | select(.platform.architecture == "arm64") | .digest') + cosign sign --yes holiodin01/python-base@${base_img_digest_arm} + + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/python-base.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + holiodin01/python-base@${base_img_digest_arm} + + cosign triangulate holiodin01/python-base@${base_img_digest_arm} + + + + hermetic_builds: + needs: merge + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - name : Build hermetic image + working-directory: python + run: | + + base_img_digest=$(docker manifest inspect holiodin01/python-base:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + + docker buildx create --name mybuilder --use --driver docker-container + + docker buildx build \ + --build-arg BASE_IMAGE=holiodin01/python-base@${base_img_digest} \ + --no-cache \ + --tag holiodin01/python-final:${{ env.image_tag }} \ + --network=none \ + --attest type=provenance,mode=min \ + --platform=linux/amd64 \ + --push \ + --output type=oci \ + https://github.com/buildsafedev/examples.git\#multiarch-builds:python + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@main + + # Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url + - name: Setup Nix development environment + uses: nicknovitski/nix-develop@v1 + with: + arguments: ./python/bsf/.#devShell + + - name: Is hermetic build + run: | + docker buildx imagetools inspect holiodin01/python-final:${{ env.image_tag }} --format "{{ json .Provenance.SLSA }}" > slsa.json + cat slsa.json + if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then + echo "Hermetic build" + else + echo "Not a hermetic build" + exit 1 + fi + + + + # Check for vulnerabilities :) + - name: Check for vulnerabilities + run: | + grype holiodin01/python-final:${{ env.image_tag }} --only-fixed --fail-on low + + sign-final-image: + needs: hermetic_builds + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + + - name: Sign and push image + env: + COSIGN_EXPERIMENTAL: "true" + run: | + + final_img_digest=$(docker manifest inspect holiodin01/python-final:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + + cosign sign --yes holiodin01/python-final@${final_img_digest} + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/python-base.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + holiodin01/python-final@${final_img_digest} + + cosign triangulate holiodin01/python-final@${final_img_digest} \ No newline at end of file diff --git a/.github/workflows/python-pip.yaml b/.github/workflows/python-pip.yaml index 5278241..25328ff 100644 --- a/.github/workflows/python-pip.yaml +++ b/.github/workflows/python-pip.yaml @@ -1,4 +1,6 @@ name: python-pip-base +env : + image_tag: v1 on: push: @@ -16,7 +18,7 @@ jobs: oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} image_name: holiodin01/python-pip-base ociBlock: python-dev - tag: v0.1.0 + tag: ${{ env.image_tag }} build: needs: prepare @@ -51,4 +53,137 @@ jobs: oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} image_name: holiodin01/python-pip-base ociBlock: python-dev - tag: v0.1.0 \ No newline at end of file + tag: ${{ env.image_tag }} + + sign-the-image: + needs: merge + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Sign and push image + env: + COSIGN_EXPERIMENTAL: "true" + run: | + # Fetch the digest for the base image + base_img_digest=$(docker manifest inspect holiodin01/python-pip-base:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + + # Use the digest in the cosign commands + cosign sign --yes holiodin01/python-pip-base@${base_img_digest} + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/python-pip.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + holiodin01/python-pip-base@${base_img_digest} + cosign triangulate holiodin01/python-pip-base@${base_img_digest} + + base_img_digest_arm64=$(docker manifest inspect holiodin01/python-pip-base:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "arm64") | .digest') + cosign sign --yes holiodin01/python-pip-base@${base_img_digest_arm64} + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/python-pip.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + holiodin01/python-pip-base@${base_img_digest_arm64} + + cosign triangulate holiodin01/python-pip-base@${base_img_digest_arm64} + + hermetic_builds: + needs: merge + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - name : Build hermetic image + working-directory: python-pip + run: | + base_img_digest=$(docker manifest inspect holiodin01/python-pip-base:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + + docker buildx create --name mybuilder --use --driver docker-container + + docker buildx build \ + --build-arg BASE_IMAGE=holiodin01/python-pip-base@${base_img_digest} \ + --no-cache \ + --tag holiodin01/python-pip-final:${{ env.image_tag }} \ + --network=none \ + --attest type=provenance,mode=min \ + --platform=linux/amd64 \ + --push \ + --output type=oci \ + https://github.com/buildsafedev/examples.git\#multiarch-builds:python-pip + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@main + + # Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url + - name: Setup Nix development environment + uses: nicknovitski/nix-develop@v1 + with: + arguments: ./python-pip/bsf/.#devShell + + - name: Is hermetic build + run: | + docker buildx imagetools inspect holiodin01/python-pip-final:${{ env.image_tag }} --format "{{ json .Provenance.SLSA }}" > slsa.json + cat slsa.json + if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then + echo "Hermetic build" + else + echo "Not a hermetic build" + exit 1 + fi + + + + # Check for vulnerabilities :) + - name: Check for vulnerabilities + run: | + grype holiodin01/python-pip-final:${{ env.image_tag }} --only-fixed --fail-on low + + sign-final-image: + needs: hermetic_builds + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + + - name: Sign and push image + env: + COSIGN_EXPERIMENTAL: "true" + run: | + + final_img_digest=$(docker manifest inspect holiodin01/python-pip-final:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + + cosign sign --yes holiodin01/python-pip-final@${final_img_digest} + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/python-pip.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + holiodin01/python-pip-final@${final_img_digest} + + cosign triangulate holiodin01/python-pip-final@${final_img_digest} \ No newline at end of file diff --git a/.github/workflows/rust-base.yaml b/.github/workflows/rust-base.yaml index c01faa8..77cbae6 100644 --- a/.github/workflows/rust-base.yaml +++ b/.github/workflows/rust-base.yaml @@ -1,4 +1,6 @@ name: rust-base +env : + image_tag: v1 on: push: @@ -16,7 +18,7 @@ jobs: oci_registry_password: ${{ secrets.DOCKERHUB_PASSWORD }} image_name: holiodin01/rust-base-dev ociBlock: rust-dev - tag: v0.1.0 + tag: ${{ env.image_tag }} prepare-rust-runtime: runs-on: ubuntu-latest @@ -30,7 +32,7 @@ jobs: oci_registry_password: ${{ secrets.DOCKERHUB_PASSWORD }} image_name: holiodin01/rust-base-runtime ociBlock: rust-runtime - tag: v0.1.0 + tag: ${{ env.image_tag }} build: needs: [prepare-rust-dev, prepare-rust-runtime] @@ -65,7 +67,7 @@ jobs: oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} image_name: holiodin01/rust-base-dev ociBlock: rust-dev - tag: v0.1.0 + tag: ${{ env.image_tag }} merge-runtime: needs: build runs-on: ubuntu-latest @@ -80,4 +82,158 @@ jobs: oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} image_name: holiodin01/rust-base-runtime ociBlock: rust-runtime - tag: v0.1.0 \ No newline at end of file + tag: ${{ env.image_tag }} + + sign-the-image: + needs: [merge-dev, merge-runtime] + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + + - name: Sign and push image + env: + COSIGN_EXPERIMENTAL: "true" + run: | + base_img_digest=$(docker manifest inspect holiodin01/rust-base-dev:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + runtime_img_digest=$(docker manifest inspect holiodin01/rust-base-runtime:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + + cosign sign --yes holiodin01/rust-base-dev@${base_img_digest} + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/rust-base.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + holiodin01/rust-base-dev@${base_img_digest} + + cosign triangulate holiodin01/rust-base-dev@${base_img_digest} + + cosign sign --yes holiodin01/rust-base-runtime@${runtime_img_digest} + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/rust-base.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + holiodin01/rust-base-runtime@${runtime_img_digest} + + cosign triangulate holiodin01/rust-base-runtime@${runtime_img_digest} + + base_img_digest_arm=$(docker manifest inspect holiodin01/rust-base-dev:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "arm64") | .digest') + runtime_img_digest_arm=$(docker manifest inspect holiodin01/rust-base-dev:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "arm64") | .digest') + + cosign sign --yes holiodin01/rust-base-dev@${base_img_digest_arm} + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/rust-base.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + holiodin01/rust-base-dev@${base_img_digest_arm} + + cosign triangulate holiodin01/rust-base-dev@${base_img_digest_arm} + + cosign sign --yes holiodin01/rust-base-runtime@${runtime_img_digest_arm} + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/rust-base.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + holiodin01/rust-base-dev@${runtime_img_digest_arm} + + cosign triangulate holiodin01/rust-base-dev@${runtime_img_digest_arm} + + + hermetic_builds: + needs: [merge-dev, merge-runtime] + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - name : Build hermetic image + working-directory: rust + run: | + + base_img_digest=$(docker manifest inspect holiodin01/rust-base-dev:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + runtime_img_digest=$(docker manifest inspect holiodin01/rust-base-runtime:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + + + docker buildx create --name mybuilder --use --driver docker-container + + docker buildx build \ + --build-arg BASE_IMAGE=holiodin01/rust-base-dev@${base_img_digest} \ + --build-arg RUNTIME_IMAGE=holiodin01/rust-base-runtime@${runtime_img_digest} \ + --no-cache \ + --tag holiodin01/rust-final:${{ env.image_tag }} \ + --network=none \ + --attest type=provenance,mode=min \ + --platform=linux/amd64 \ + --push \ + --output type=oci \ + https://github.com/buildsafedev/examples.git\#multiarch-builds:rust + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@main + + # Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url + - name: Setup Nix development environment + uses: nicknovitski/nix-develop@v1 + with: + arguments: ./rust/bsf/.#devShell + + - name: Is hermetic build + run: | + docker buildx imagetools inspect holiodin01/rust-final:${{ env.image_tag }} --format "{{ json .Provenance.SLSA }}" > slsa.json + cat slsa.json + if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then + echo "Hermetic build" + else + echo "Not a hermetic build" + exit 1 + fi + + # Check for vulnerabilities :) + - name: Check for vulnerabilities + run: grype holiodin01/rust-final:${{ env.image_tag }} --only-fixed --fail-on low + + + sign-final-image: + needs: hermetic_builds + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + + - name: Sign and push image + env: + COSIGN_EXPERIMENTAL: "true" + run: | + + final_img_digest=$(docker manifest inspect holiodin01/rust-final:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest') + cosign sign --yes holiodin01/rust-final@${final_img_digest} + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/rust-base.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + holiodin01/rust-final@${final_img_digest} + + cosign triangulate holiodin01/rust-final@${final_img_digest} \ No newline at end of file diff --git a/go-server-example/Dockerfile b/go-server-example/Dockerfile index 12cb278..e307b2f 100644 --- a/go-server-example/Dockerfile +++ b/go-server-example/Dockerfile @@ -1,7 +1,11 @@ # syntax=docker/dockerfile:1 +ARG BASE_IMAGE=holiodin01/go-base-dev@sha256:1db4455e49d70f1fe1b5564ab57227ea7b2b499ad7d23cf7a9fc0d222502a010 +ARG RUNTIME_IMAGE=holiodin01/go-base-runtime@sha256:ac6c10434184f1f1bdf6a1d22427da18ccfd998e8363962aa101a86b0387de5d + # Stage 1: Build the application -FROM holiodin01/go-base-dev:v0.1.0 AS build +FROM ${BASE_IMAGE} AS build +# FROM holiodin01/go-base-dev:v0.1.0 AS build WORKDIR /src @@ -13,7 +17,8 @@ RUN mkdir -p /tmp RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -o /bin/server . # Stage 2: Create the final image -FROM holiodin01/go-base-runtime:v0.1.0 AS final +FROM ${RUNTIME_IMAGE} AS final +# FROM holiodin01/go-base-runtime:v0.1.0 AS final WORKDIR /app diff --git a/go-server-example/bsf.hcl b/go-server-example/bsf.hcl index 39a362f..390e558 100644 --- a/go-server-example/bsf.hcl +++ b/go-server-example/bsf.hcl @@ -1,6 +1,5 @@ - packages { - development = ["go@1.22.3", "gotools@0.18.0", "delve@1.22.1", "coreutils-full@~9.5", "tzdata@2024a", "bash@~5.2.15"] + development = ["bash@~5.2.15", "coreutils-full@~9.5", "delve@1.22.1", "gotools@0.18.0", "grype@~0.80.2", "skopeo@~1.16.1", "tzdata@2024a", "go@~1.23.1"] runtime = ["cacert@3.95"] } @@ -13,8 +12,8 @@ gomodule { } oci "go-dev" { - name = "docker.io/holiodin01/go-base-dev" - layers = ["packages.runtime + packages.dev"] + name = "ghcr.io/buildsafedev/go-base-dev" + layers = ["packages.dev"] isBase = true cmd = [] entrypoint = [] @@ -22,9 +21,8 @@ oci "go-dev" { exposedPorts = [] importConfigs = [] } - oci "go-runtime" { - name = "docker.io/holiodin01/go-base-runtime" + name = "ghcr.io/buildsafedev/go-base-runtime" layers = ["packages.runtime"] isBase = true cmd = [] diff --git a/go-server-example/bsf.lock b/go-server-example/bsf.lock new file mode 100644 index 0000000..1de68d6 --- /dev/null +++ b/go-server-example/bsf.lock @@ -0,0 +1,528 @@ +{ + "app": { + "name": "go-server-example" + }, + "packages": [ + { + "package": { + "name": "bash", + "revision": "1ebb7d7bba2953a4223956cfb5f068b0095f84a7", + "version": "5.2.15", + "description": "GNU Bourne-Again Shell, the de facto standard shell on Linux", + "homepage": "https://www.gnu.org/software/bash", + "free": true, + "spdx_id": "GPL-3.0-or-later", + "epoch_seconds": 1653393815, + "platforms": [ + "i686-cygwin", + "x86_64-cygwin", + "x86_64-darwin", + "i686-darwin", + "aarch64-darwin", + "armv7a-darwin", + "i686-freebsd13", + "x86_64-freebsd13", + "x86_64-solaris", + "aarch64-linux", + "armv5tel-linux", + "armv6l-linux", + "armv7a-linux", + "armv7l-linux", + "i686-linux", + "loongarch64-linux", + "m68k-linux", + "microblaze-linux", + "microblazeel-linux", + "mips-linux", + "mips64-linux", + "mips64el-linux", + "mipsel-linux", + "powerpc64-linux", + "powerpc64le-linux", + "riscv32-linux", + "riscv64-linux", + "s390-linux", + "s390x-linux", + "x86_64-linux", + "aarch64-netbsd", + "armv6l-netbsd", + "armv7a-netbsd", + "armv7l-netbsd", + "i686-netbsd", + "m68k-netbsd", + "mipsel-netbsd", + "powerpc-netbsd", + "riscv32-netbsd", + "riscv64-netbsd", + "x86_64-netbsd", + "i686-openbsd", + "x86_64-openbsd", + "x86_64-redox" + ] + }, + "runtime": false + }, + { + "package": { + "name": "cacert", + "revision": "ac5c1886fd9fe49748d7ab80accc4c847481df14", + "version": "3.95", + "description": "A bundle of X.509 certificates of public Certificate Authorities (CA)", + "homepage": "https://curl.haxx.se/docs/caextract.html", + "free": true, + "spdx_id": "MPL-2.0", + "epoch_seconds": 1699289668, + "platforms": [ + "i686-cygwin", + "x86_64-cygwin", + "x86_64-darwin", + "i686-darwin", + "aarch64-darwin", + "armv7a-darwin", + "i686-freebsd13", + "x86_64-freebsd13", + "aarch64-genode", + "i686-genode", + "x86_64-genode", + "x86_64-solaris", + "javascript-ghcjs", + "aarch64-linux", + "armv5tel-linux", + "armv6l-linux", + "armv7a-linux", + "armv7l-linux", + "i686-linux", + "loongarch64-linux", + "m68k-linux", + "microblaze-linux", + "microblazeel-linux", + "mips-linux", + "mips64-linux", + "mips64el-linux", + "mipsel-linux", + "powerpc64-linux", + "powerpc64le-linux", + "riscv32-linux", + "riscv64-linux", + "s390-linux", + "s390x-linux", + "x86_64-linux", + "mmix-mmixware", + "aarch64-netbsd", + "armv6l-netbsd", + "armv7a-netbsd", + "armv7l-netbsd", + "i686-netbsd", + "m68k-netbsd", + "mipsel-netbsd", + "powerpc-netbsd", + "riscv32-netbsd", + "riscv64-netbsd", + "x86_64-netbsd", + "aarch64_be-none", + "aarch64-none", + "arm-none", + "armv6l-none", + "avr-none", + "i686-none", + "microblaze-none", + "microblazeel-none", + "mips-none", + "mips64-none", + "msp430-none", + "or1k-none", + "m68k-none", + "powerpc-none", + "powerpcle-none", + "riscv32-none", + "riscv64-none", + "rx-none", + "s390-none", + "s390x-none", + "vc4-none", + "x86_64-none", + "i686-openbsd", + "x86_64-openbsd", + "x86_64-redox", + "wasm64-wasi", + "wasm32-wasi", + "x86_64-windows", + "i686-windows" + ] + }, + "runtime": true + }, + { + "package": { + "name": "coreutils-full", + "revision": "7445ccd775d8b892fc56448d17345443a05f7fb4", + "version": "9.5", + "description": "The GNU Core Utilities", + "homepage": "https://www.gnu.org/software/coreutils/", + "free": true, + "spdx_id": "GPL-3.0-or-later", + "epoch_seconds": 1716993062, + "platforms": [ + "i686-cygwin", + "x86_64-cygwin", + "x86_64-darwin", + "i686-darwin", + "aarch64-darwin", + "armv7a-darwin", + "i686-freebsd", + "x86_64-freebsd", + "x86_64-solaris", + "aarch64-linux", + "armv5tel-linux", + "armv6l-linux", + "armv7a-linux", + "armv7l-linux", + "i686-linux", + "loongarch64-linux", + "m68k-linux", + "microblaze-linux", + "microblazeel-linux", + "mips-linux", + "mips64-linux", + "mips64el-linux", + "mipsel-linux", + "powerpc64-linux", + "powerpc64le-linux", + "riscv32-linux", + "riscv64-linux", + "s390-linux", + "s390x-linux", + "x86_64-linux", + "aarch64-netbsd", + "armv6l-netbsd", + "armv7a-netbsd", + "armv7l-netbsd", + "i686-netbsd", + "m68k-netbsd", + "mipsel-netbsd", + "powerpc-netbsd", + "riscv32-netbsd", + "riscv64-netbsd", + "x86_64-netbsd", + "i686-openbsd", + "x86_64-openbsd", + "x86_64-redox", + "i686-cygwin", + "x86_64-cygwin", + "x86_64-windows", + "i686-windows" + ], + "attr_name": "coreutils-full" + }, + "runtime": false + }, + { + "package": { + "name": "delve", + "revision": "d7570b04936e9b0f5268e0d834dee40368ad3308", + "version": "1.22.1", + "description": "debugger for the Go programming language", + "homepage": "https://github.com/go-delve/delve", + "free": true, + "spdx_id": "MIT", + "epoch_seconds": 1709830921, + "platforms": [ + "x86_64-darwin", + "i686-darwin", + "aarch64-darwin", + "armv7a-darwin", + "aarch64-linux", + "armv5tel-linux", + "armv6l-linux", + "armv7a-linux", + "armv7l-linux", + "i686-linux", + "loongarch64-linux", + "m68k-linux", + "microblaze-linux", + "microblazeel-linux", + "mips-linux", + "mips64-linux", + "mips64el-linux", + "mipsel-linux", + "powerpc64-linux", + "powerpc64le-linux", + "riscv32-linux", + "riscv64-linux", + "s390-linux", + "s390x-linux", + "x86_64-linux" + ], + "attr_name": "delve" + }, + "runtime": false + }, + { + "package": { + "name": "go", + "revision": "2af19cfb6aa40768c4bbefd801a136270e099191", + "version": "1.23.1", + "description": "Go Programming language", + "homepage": "https://go.dev/", + "free": true, + "spdx_id": "BSD-3-Clause", + "epoch_seconds": 1727301923, + "platforms": [ + "x86_64-darwin", + "i686-darwin", + "aarch64-darwin", + "armv7a-darwin", + "aarch64-linux", + "armv5tel-linux", + "armv6l-linux", + "armv7a-linux", + "armv7l-linux", + "i686-linux", + "loongarch64-linux", + "m68k-linux", + "microblaze-linux", + "microblazeel-linux", + "mips-linux", + "mips64-linux", + "mips64el-linux", + "mipsel-linux", + "powerpc64-linux", + "powerpc64le-linux", + "riscv32-linux", + "riscv64-linux", + "s390-linux", + "s390x-linux", + "x86_64-linux", + "wasm64-wasi", + "wasm32-wasi", + "i686-freebsd", + "x86_64-freebsd" + ], + "attr_name": "go_1_23" + }, + "runtime": false + }, + { + "package": { + "name": "gotools", + "revision": "d7570b04936e9b0f5268e0d834dee40368ad3308", + "version": "0.18.0", + "description": "Additional tools for Go development", + "homepage": "https://go.googlesource.com/tools", + "free": true, + "spdx_id": "BSD-3-Clause", + "epoch_seconds": 1709830921, + "platforms": [ + "x86_64-darwin", + "i686-darwin", + "aarch64-darwin", + "armv7a-darwin", + "aarch64-linux", + "armv5tel-linux", + "armv6l-linux", + "armv7a-linux", + "armv7l-linux", + "i686-linux", + "loongarch64-linux", + "m68k-linux", + "microblaze-linux", + "microblazeel-linux", + "mips-linux", + "mips64-linux", + "mips64el-linux", + "mipsel-linux", + "powerpc64-linux", + "powerpc64le-linux", + "riscv32-linux", + "riscv64-linux", + "s390-linux", + "s390x-linux", + "x86_64-linux" + ], + "attr_name": "gotools" + }, + "runtime": false + }, + { + "package": { + "name": "grype", + "revision": "2af19cfb6aa40768c4bbefd801a136270e099191", + "version": "0.80.2", + "description": "Vulnerability scanner for container images and filesystems", + "homepage": "https://github.com/anchore/grype", + "free": true, + "spdx_id": "Apache-2.0", + "epoch_seconds": 1727301923, + "platforms": [ + "x86_64-darwin", + "i686-darwin", + "aarch64-darwin", + "armv7a-darwin", + "aarch64-linux", + "armv5tel-linux", + "armv6l-linux", + "armv7a-linux", + "armv7l-linux", + "i686-linux", + "loongarch64-linux", + "m68k-linux", + "microblaze-linux", + "microblazeel-linux", + "mips-linux", + "mips64-linux", + "mips64el-linux", + "mipsel-linux", + "powerpc64-linux", + "powerpc64le-linux", + "riscv32-linux", + "riscv64-linux", + "s390-linux", + "s390x-linux", + "x86_64-linux", + "wasm64-wasi", + "wasm32-wasi", + "i686-freebsd", + "x86_64-freebsd" + ], + "attr_name": "grype" + }, + "runtime": false + }, + { + "package": { + "name": "skopeo", + "revision": "2af19cfb6aa40768c4bbefd801a136270e099191", + "version": "1.16.1", + "description": "Command line utility for various operations on container images and image repositories", + "homepage": "https://github.com/containers/skopeo", + "free": true, + "spdx_id": "Apache-2.0", + "epoch_seconds": 1727301923, + "platforms": [ + "x86_64-darwin", + "i686-darwin", + "aarch64-darwin", + "armv7a-darwin", + "aarch64-linux", + "armv5tel-linux", + "armv6l-linux", + "armv7a-linux", + "armv7l-linux", + "i686-linux", + "loongarch64-linux", + "m68k-linux", + "microblaze-linux", + "microblazeel-linux", + "mips-linux", + "mips64-linux", + "mips64el-linux", + "mipsel-linux", + "powerpc64-linux", + "powerpc64le-linux", + "riscv32-linux", + "riscv64-linux", + "s390-linux", + "s390x-linux", + "x86_64-linux", + "wasm64-wasi", + "wasm32-wasi", + "i686-freebsd", + "x86_64-freebsd" + ], + "attr_name": "skopeo" + }, + "runtime": false + }, + { + "package": { + "name": "tzdata", + "revision": "d7570b04936e9b0f5268e0d834dee40368ad3308", + "version": "2024a", + "description": "Database of current and historical time zones", + "homepage": "http://www.iana.org/time-zones", + "free": true, + "spdx_id": "BSD-3-Clause", + "epoch_seconds": 1709830921, + "platforms": [ + "i686-cygwin", + "x86_64-cygwin", + "x86_64-darwin", + "i686-darwin", + "aarch64-darwin", + "armv7a-darwin", + "i686-freebsd13", + "x86_64-freebsd13", + "aarch64-genode", + "i686-genode", + "x86_64-genode", + "x86_64-solaris", + "javascript-ghcjs", + "aarch64-linux", + "armv5tel-linux", + "armv6l-linux", + "armv7a-linux", + "armv7l-linux", + "i686-linux", + "loongarch64-linux", + "m68k-linux", + "microblaze-linux", + "microblazeel-linux", + "mips-linux", + "mips64-linux", + "mips64el-linux", + "mipsel-linux", + "powerpc64-linux", + "powerpc64le-linux", + "riscv32-linux", + "riscv64-linux", + "s390-linux", + "s390x-linux", + "x86_64-linux", + "mmix-mmixware", + "aarch64-netbsd", + "armv6l-netbsd", + "armv7a-netbsd", + "armv7l-netbsd", + "i686-netbsd", + "m68k-netbsd", + "mipsel-netbsd", + "powerpc-netbsd", + "riscv32-netbsd", + "riscv64-netbsd", + "x86_64-netbsd", + "aarch64_be-none", + "aarch64-none", + "arm-none", + "armv6l-none", + "avr-none", + "i686-none", + "microblaze-none", + "microblazeel-none", + "mips-none", + "mips64-none", + "msp430-none", + "or1k-none", + "m68k-none", + "powerpc-none", + "powerpcle-none", + "riscv32-none", + "riscv64-none", + "rx-none", + "s390-none", + "s390x-none", + "vc4-none", + "x86_64-none", + "i686-openbsd", + "x86_64-openbsd", + "x86_64-redox", + "wasm64-wasi", + "wasm32-wasi", + "x86_64-windows", + "i686-windows" + ], + "attr_name": "tzdata" + }, + "runtime": false + } + ] +} \ No newline at end of file diff --git a/go-server-example/bsf/default.nix b/go-server-example/bsf/default.nix new file mode 100644 index 0000000..08e1b39 --- /dev/null +++ b/go-server-example/bsf/default.nix @@ -0,0 +1,28 @@ + + { pkgs ? ( + let + inherit (builtins) fetchTree fromJSON readFile; + inherit ((fromJSON (readFile ./flake.lock)).nodes) nixpkgs gomod2nix; + in + import (fetchTree nixpkgs.locked) { + overlays = [ + (import "${fetchTree gomod2nix.locked}/overlay.nix") + ]; + } + ) + , buildGoApplication ? pkgs.buildGoApplication, + go ? go, + }: + + buildGoApplication { + pname = "go-server-example"; + inherit go; + version = "0.1"; + pwd = ./.; + src = ../.; + modules = ./gomod2nix.toml; + doCheck = false; + + + } + \ No newline at end of file diff --git a/go-server-example/bsf/flake.lock b/go-server-example/bsf/flake.lock new file mode 100644 index 0000000..3caba1d --- /dev/null +++ b/go-server-example/bsf/flake.lock @@ -0,0 +1,235 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gomod2nix": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729448365, + "narHash": "sha256-oquZeWTYWTr5IxfwEzgsxjtD8SSFZYLdO9DaQb70vNU=", + "owner": "nix-community", + "repo": "gomod2nix", + "rev": "5d387097aa716f35dd99d848dc26d8d5b62a104c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "gomod2nix", + "type": "github" + } + }, + "nix2container": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1729339656, + "narHash": "sha256-smV7HQ/OqZeRguQxNjsb3uQDwm0p6zKDbSDbPCav/oY=", + "owner": "nlewo", + "repo": "nix2container", + "rev": "cc96df7c3747c61c584d757cfc083922b4f4b33e", + "type": "github" + }, + "original": { + "owner": "nlewo", + "repo": "nix2container", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1712920918, + "narHash": "sha256-1yxFvUcJfUphK9V91KufIQom7gCsztza0H4Rz2VCWUU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "92323443a56f4e9fc4e4b712e3119f66d0969297", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7": { + "locked": { + "lastModified": 1702939464, + "narHash": "sha256-mZqoH5fXxh8UxjUKpqi09UBXEPpz4w+2Ef0AVTLuF+g=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "1ebb7d7bba2953a4223956cfb5f068b0095f84a7", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "rev": "1ebb7d7bba2953a4223956cfb5f068b0095f84a7", + "type": "github" + } + }, + "nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191": { + "locked": { + "lastModified": 1727301923, + "narHash": "sha256-hZIzX7Qx9k1s+j5dDp20jgxJ0jTxX403/P6o1yJxi1k=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "2af19cfb6aa40768c4bbefd801a136270e099191", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "rev": "2af19cfb6aa40768c4bbefd801a136270e099191", + "type": "github" + } + }, + "nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4": { + "locked": { + "lastModified": 1716993062, + "narHash": "sha256-Q7+8FPD2V8OoGAe0d5LoE8HZ5KYJMyb80klPyrZj2hw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "7445ccd775d8b892fc56448d17345443a05f7fb4", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "rev": "7445ccd775d8b892fc56448d17345443a05f7fb4", + "type": "github" + } + }, + "nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14": { + "locked": { + "lastModified": 1702838883, + "narHash": "sha256-R01Ga1NsBsZsNkLrnhuw+6gJIKtz9B15L9vybTlLpko=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ac5c1886fd9fe49748d7ab80accc4c847481df14", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ac5c1886fd9fe49748d7ab80accc4c847481df14", + "type": "github" + } + }, + "nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308": { + "locked": { + "lastModified": 1709830921, + "narHash": "sha256-B3vcPx6vEDgySFm6GaHZojpF/LEGVCoqRQNG4w8MqVg=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d7570b04936e9b0f5268e0d834dee40368ad3308", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d7570b04936e9b0f5268e0d834dee40368ad3308", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1729880355, + "narHash": "sha256-RP+OQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "18536bf04cd71abd345f9579158841376fdd0c5a", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "gomod2nix": "gomod2nix", + "nix2container": "nix2container", + "nixpkgs": "nixpkgs_2", + "nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7": "nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7", + "nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191": "nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191", + "nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4": "nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4", + "nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14": "nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14", + "nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308": "nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/go-server-example/bsf/flake.nix b/go-server-example/bsf/flake.nix new file mode 100644 index 0000000..ec0e383 --- /dev/null +++ b/go-server-example/bsf/flake.nix @@ -0,0 +1,194 @@ + +{ + description = ""; + + inputs = { + nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7.url = "github:nixos/nixpkgs/1ebb7d7bba2953a4223956cfb5f068b0095f84a7"; + nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14.url = "github:nixos/nixpkgs/ac5c1886fd9fe49748d7ab80accc4c847481df14"; + nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4.url = "github:nixos/nixpkgs/7445ccd775d8b892fc56448d17345443a05f7fb4"; + nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308.url = "github:nixos/nixpkgs/d7570b04936e9b0f5268e0d834dee40368ad3308"; + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191.url = "github:nixos/nixpkgs/2af19cfb6aa40768c4bbefd801a136270e099191"; + + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + gomod2nix.url = "github:nix-community/gomod2nix"; + gomod2nix.inputs.nixpkgs.follows = "nixpkgs"; + + + + + + + + + nix2container.url = "github:nlewo/nix2container"; + }; + + outputs = inputs@{ self, nixpkgs, + gomod2nix, + + + + nix2container , + nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7, + nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14, + nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4, + nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308, + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191, + }: let + supportedSystems = [ "x86_64-linux" "aarch64-darwin" "x86_64-darwin" "aarch64-linux" ]; + + + forEachSupportedSystem = f: nixpkgs.lib.genAttrs supportedSystems (system: f { + inherit system; + nix2containerPkgs = nix2container.packages.${system}; + nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs = import nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7 { inherit system; }; + nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs = import nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14 { inherit system; }; + nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs = import nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4 { inherit system; }; + nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs = import nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308 { inherit system; }; + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs = import nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191 { inherit system; }; + + buildGoApplication = gomod2nix.legacyPackages.${system}.buildGoApplication; + pkgs = import nixpkgs { inherit system; }; + + + }); + in { + + devShells = forEachSupportedSystem ({ pkgs, + buildGoApplication, + + + nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, + nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, + nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, + nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs, + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, + ... }: { + devShell = pkgs.mkShell { + # The Nix packages provided in the environment + packages = [ + nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs.bash + nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.coreutils-full + nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.delve + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.go_1_23 + nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.gotools + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.grype + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.skopeo + nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.tzdata + + ]; + }; + }); + + runtimeEnvs = forEachSupportedSystem ({ pkgs, + buildGoApplication, + + + nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs, nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, ... }: { + runtime = pkgs.buildEnv { + name = "runtimeenv"; + paths = [ + nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs.cacert + + ]; + }; + }); + + devEnvs = forEachSupportedSystem ({ pkgs, + buildGoApplication, + + + nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs, nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, ... }: { + development = pkgs.buildEnv { + name = "devenv"; + paths = [ + nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs.bash + nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.coreutils-full + nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.delve + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.go_1_23 + nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.gotools + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.grype + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.skopeo + nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.tzdata + + ]; + }; + }); + + + + + +ociImage_go-dev = forEachSupportedSystem ({ pkgs, nix2containerPkgs, system , nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs, nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, ... }: { + + + + ociImage_go-dev_base = nix2containerPkgs.nix2container.buildImage { + name = "ghcr.io/buildsafedev/go-base-dev"; + config = { + cmd = [ ]; + entrypoint = [ ]; + env = [ + + ]; + ExposedPorts = { + + }; + }; + maxLayers = 100; + layers = [ + (nix2containerPkgs.nix2container.buildLayer { + copyToRoot = [ + inputs.self.devEnvs.${system}.development + ]; + }) + + ]; + }; + + + + + ociImage_go-dev_base-as-dir = pkgs.runCommand "image-as-dir" { } "${inputs.self.ociImage_go-dev.${system}.ociImage_go-dev_base.copyTo}/bin/copy-to dir:$out"; + + }); + +ociImage_go-runtime = forEachSupportedSystem ({ pkgs, nix2containerPkgs, system , nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs, nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, ... }: { + + + + ociImage_go-runtime_base = nix2containerPkgs.nix2container.buildImage { + name = "ghcr.io/buildsafedev/go-base-runtime"; + config = { + cmd = [ ]; + entrypoint = [ ]; + env = [ + + ]; + ExposedPorts = { + + }; + }; + maxLayers = 100; + layers = [ + (nix2containerPkgs.nix2container.buildLayer { + copyToRoot = [ + inputs.self.runtimeEnvs.${system}.runtime + ]; + }) + + ]; + }; + + + + + ociImage_go-runtime_base-as-dir = pkgs.runCommand "image-as-dir" { } "${inputs.self.ociImage_go-runtime.${system}.ociImage_go-runtime_base.copyTo}/bin/copy-to dir:$out"; + + }); + + + + + }; +} diff --git a/go-server-example/bsf/gomod2nix.toml b/go-server-example/bsf/gomod2nix.toml new file mode 100644 index 0000000..1dc4311 --- /dev/null +++ b/go-server-example/bsf/gomod2nix.toml @@ -0,0 +1,9 @@ +schema = 3 + +[mod] + [mod."github.com/sirupsen/logrus"] + version = "v1.9.3" + hash = "sha256-EnxsWdEUPYid+aZ9H4/iMTs1XMvCLbXZRDyvj89Ebms=" + [mod."golang.org/x/sys"] + version = "v0.0.0-20220715151400-c0bba94af5f8" + hash = "sha256-U/kS1gLvZxZn7yPsFCll93iii+Ug8exwTZHbNijXPW0=" diff --git a/python-pip/Dockerfile b/python-pip/Dockerfile index dae2aa5..b0be175 100644 --- a/python-pip/Dockerfile +++ b/python-pip/Dockerfile @@ -1,4 +1,5 @@ -FROM holiodin01/python-pip-base:v0.1.0 AS base +ARG BASE_IMAGE=holiodin01/python-pip-base@sha256:38525c97491e20076ceee7935a0487e21d26041b234d98584f8b22e57897ce5c +FROM ${BASE_IMAGE} AS build # Prevents Python from writing pyc files. ENV PYTHONDONTWRITEBYTECODE=1 diff --git a/python-pip/bsf.hcl b/python-pip/bsf.hcl index e8b3d6c..0050bed 100644 --- a/python-pip/bsf.hcl +++ b/python-pip/bsf.hcl @@ -1,5 +1,6 @@ + packages { - development = ["coreutils-full@9.5", "python3@3.12.2", "bash@5.2.15", "python3.12-pip@~24.0"] + development = ["coreutils-full@9.5", "bash@5.2.15", "python3.12-pip@~24.0", "cosign@~2.4.0", "grype@~0.80.2", "python3@~3.12.5"] runtime = ["cacert@3.95"] } diff --git a/python-pip/bsf.lock b/python-pip/bsf.lock index 3ee779b..d02bb32 100644 --- a/python-pip/bsf.lock +++ b/python-pip/bsf.lock @@ -218,15 +218,19 @@ }, { "package": { - "name": "poetry", - "revision": "d7570b04936e9b0f5268e0d834dee40368ad3308", - "version": "1.8.2", - "description": "Python dependency management and packaging made easy", - "homepage": "https://python-poetry.org/", + "name": "cosign", + "revision": "2af19cfb6aa40768c4bbefd801a136270e099191", + "version": "2.4.0", + "description": "Container Signing CLI with support for ephemeral keys and Sigstore signing", + "homepage": "https://github.com/sigstore/cosign", "free": true, - "spdx_id": "MIT", - "epoch_seconds": 1709830921, + "spdx_id": "Apache-2.0", + "epoch_seconds": 1727301923, "platforms": [ + "x86_64-darwin", + "i686-darwin", + "aarch64-darwin", + "armv7a-darwin", "aarch64-linux", "armv5tel-linux", "armv6l-linux", @@ -248,29 +252,117 @@ "s390-linux", "s390x-linux", "x86_64-linux", + "wasm64-wasi", + "wasm32-wasi", + "i686-freebsd", + "x86_64-freebsd" + ], + "attr_name": "cosign" + }, + "runtime": false + }, + { + "package": { + "name": "grype", + "revision": "2af19cfb6aa40768c4bbefd801a136270e099191", + "version": "0.80.2", + "description": "Vulnerability scanner for container images and filesystems", + "homepage": "https://github.com/anchore/grype", + "free": true, + "spdx_id": "Apache-2.0", + "epoch_seconds": 1727301923, + "platforms": [ "x86_64-darwin", "i686-darwin", "aarch64-darwin", "armv7a-darwin", - "i686-cygwin", - "x86_64-cygwin", - "x86_64-windows", - "i686-windows" + "aarch64-linux", + "armv5tel-linux", + "armv6l-linux", + "armv7a-linux", + "armv7l-linux", + "i686-linux", + "loongarch64-linux", + "m68k-linux", + "microblaze-linux", + "microblazeel-linux", + "mips-linux", + "mips64-linux", + "mips64el-linux", + "mipsel-linux", + "powerpc64-linux", + "powerpc64le-linux", + "riscv32-linux", + "riscv64-linux", + "s390-linux", + "s390x-linux", + "x86_64-linux", + "wasm64-wasi", + "wasm32-wasi", + "i686-freebsd", + "x86_64-freebsd" ], - "attr_name": "poetry" + "attr_name": "grype" }, "runtime": false }, { "package": { "name": "python3", - "revision": "d7570b04936e9b0f5268e0d834dee40368ad3308", - "version": "3.12.2", - "description": "A high-level dynamically-typed programming language", + "revision": "2af19cfb6aa40768c4bbefd801a136270e099191", + "version": "3.12.5", + "description": "High-level dynamically-typed programming language", "homepage": "https://www.python.org", "free": true, "spdx_id": "Python-2.0", - "epoch_seconds": 1709830921, + "epoch_seconds": 1727301923, + "platforms": [ + "aarch64-linux", + "armv5tel-linux", + "armv6l-linux", + "armv7a-linux", + "armv7l-linux", + "i686-linux", + "loongarch64-linux", + "m68k-linux", + "microblaze-linux", + "microblazeel-linux", + "mips-linux", + "mips64-linux", + "mips64el-linux", + "mipsel-linux", + "powerpc64-linux", + "powerpc64le-linux", + "riscv32-linux", + "riscv64-linux", + "s390-linux", + "s390x-linux", + "x86_64-linux", + "x86_64-darwin", + "i686-darwin", + "aarch64-darwin", + "armv7a-darwin", + "i686-cygwin", + "x86_64-cygwin", + "x86_64-windows", + "i686-windows", + "i686-freebsd", + "x86_64-freebsd" + ], + "attr_name": "python312Full" + }, + "runtime": false + }, + { + "package": { + "name": "python3.12-pip", + "revision": "7445ccd775d8b892fc56448d17345443a05f7fb4", + "version": "24.0", + "description": "The PyPA recommended tool for installing Python packages", + "homepage": "https://pip.pypa.io/", + "free": true, + "spdx_id": "MIT", + "epoch_seconds": 1716993062, "platforms": [ "aarch64-linux", "armv5tel-linux", @@ -302,7 +394,7 @@ "x86_64-windows", "i686-windows" ], - "attr_name": "python312" + "attr_name": "python312Packages.pip" }, "runtime": false } diff --git a/python-pip/bsf/flake.lock b/python-pip/bsf/flake.lock index a06eb30..b7a501b 100644 --- a/python-pip/bsf/flake.lock +++ b/python-pip/bsf/flake.lock @@ -68,51 +68,51 @@ "type": "github" } }, - "nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4": { + "nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191": { "locked": { - "lastModified": 1716993062, - "narHash": "sha256-Q7+8FPD2V8OoGAe0d5LoE8HZ5KYJMyb80klPyrZj2hw=", + "lastModified": 1727301923, + "narHash": "sha256-hZIzX7Qx9k1s+j5dDp20jgxJ0jTxX403/P6o1yJxi1k=", "owner": "nixos", "repo": "nixpkgs", - "rev": "7445ccd775d8b892fc56448d17345443a05f7fb4", + "rev": "2af19cfb6aa40768c4bbefd801a136270e099191", "type": "github" }, "original": { "owner": "nixos", "repo": "nixpkgs", - "rev": "7445ccd775d8b892fc56448d17345443a05f7fb4", + "rev": "2af19cfb6aa40768c4bbefd801a136270e099191", "type": "github" } }, - "nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14": { + "nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4": { "locked": { - "lastModified": 1702838883, - "narHash": "sha256-R01Ga1NsBsZsNkLrnhuw+6gJIKtz9B15L9vybTlLpko=", + "lastModified": 1716993062, + "narHash": "sha256-Q7+8FPD2V8OoGAe0d5LoE8HZ5KYJMyb80klPyrZj2hw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ac5c1886fd9fe49748d7ab80accc4c847481df14", + "rev": "7445ccd775d8b892fc56448d17345443a05f7fb4", "type": "github" }, "original": { "owner": "nixos", "repo": "nixpkgs", - "rev": "ac5c1886fd9fe49748d7ab80accc4c847481df14", + "rev": "7445ccd775d8b892fc56448d17345443a05f7fb4", "type": "github" } }, - "nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308": { + "nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14": { "locked": { - "lastModified": 1709830921, - "narHash": "sha256-B3vcPx6vEDgySFm6GaHZojpF/LEGVCoqRQNG4w8MqVg=", + "lastModified": 1702838883, + "narHash": "sha256-R01Ga1NsBsZsNkLrnhuw+6gJIKtz9B15L9vybTlLpko=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d7570b04936e9b0f5268e0d834dee40368ad3308", + "rev": "ac5c1886fd9fe49748d7ab80accc4c847481df14", "type": "github" }, "original": { "owner": "nixos", "repo": "nixpkgs", - "rev": "d7570b04936e9b0f5268e0d834dee40368ad3308", + "rev": "ac5c1886fd9fe49748d7ab80accc4c847481df14", "type": "github" } }, @@ -137,9 +137,9 @@ "nix2container": "nix2container", "nixpkgs": "nixpkgs_2", "nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7": "nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7", + "nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191": "nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191", "nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4": "nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4", - "nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14": "nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14", - "nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308": "nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308" + "nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14": "nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14" } }, "systems": { diff --git a/python-pip/bsf/flake.nix b/python-pip/bsf/flake.nix index 6c19990..1d123f5 100644 --- a/python-pip/bsf/flake.nix +++ b/python-pip/bsf/flake.nix @@ -4,7 +4,7 @@ inputs = { nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4.url = "github:nixos/nixpkgs/7445ccd775d8b892fc56448d17345443a05f7fb4"; - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308.url = "github:nixos/nixpkgs/d7570b04936e9b0f5268e0d834dee40368ad3308"; + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191.url = "github:nixos/nixpkgs/2af19cfb6aa40768c4bbefd801a136270e099191"; nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7.url = "github:nixos/nixpkgs/1ebb7d7bba2953a4223956cfb5f068b0095f84a7"; nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14.url = "github:nixos/nixpkgs/ac5c1886fd9fe49748d7ab80accc4c847481df14"; @@ -28,7 +28,7 @@ nix2container , nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4, - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308, + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191, nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14, }: let @@ -39,7 +39,7 @@ inherit system; nix2containerPkgs = nix2container.packages.${system}; nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs = import nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4 { inherit system; }; - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs = import nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308 { inherit system; }; + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs = import nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191 { inherit system; }; nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs = import nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7 { inherit system; }; nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs = import nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14 { inherit system; }; @@ -55,7 +55,7 @@ nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs, + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, ... }: { @@ -64,8 +64,10 @@ packages = [ nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs.bash nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.coreutils-full - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.poetry - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.python312 + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.cosign + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.grype + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.python312Full + nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.python312Packages.pip ]; }; @@ -75,7 +77,7 @@ - nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs, nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, ... }: { + nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, ... }: { runtime = pkgs.buildEnv { name = "runtimeenv"; paths = [ @@ -89,14 +91,16 @@ - nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs, nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, ... }: { + nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, ... }: { development = pkgs.buildEnv { name = "devenv"; paths = [ nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs.bash nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.coreutils-full - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.poetry - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.python312 + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.cosign + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.grype + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.python312Full + nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.python312Packages.pip ]; }; @@ -106,12 +110,12 @@ -ociImage_pkgs = forEachSupportedSystem ({ pkgs, nix2containerPkgs, system , nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs, nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, ... }: { +ociImage_python-dev = forEachSupportedSystem ({ pkgs, nix2containerPkgs, system , nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, ... }: { - ociImage_pkgs_base = nix2containerPkgs.nix2container.buildImage { - name = "sui"; + ociImage_python-dev_base = nix2containerPkgs.nix2container.buildImage { + name = "docker.io/holiodin01/python-pip-base"; config = { cmd = [ ]; entrypoint = [ ]; @@ -126,23 +130,8 @@ ociImage_pkgs = forEachSupportedSystem ({ pkgs, nix2containerPkgs, system , nix layers = [ (nix2containerPkgs.nix2container.buildLayer { copyToRoot = [ - nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs.cacert - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs.bash - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.coreutils-full - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.poetry - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.python312 + inputs.self.runtimeEnvs.${system}.runtime +inputs.self.devEnvs.${system}.development ]; }) @@ -152,7 +141,7 @@ ociImage_pkgs = forEachSupportedSystem ({ pkgs, nix2containerPkgs, system , nix - ociImage_pkgs_base-as-dir = pkgs.runCommand "image-as-dir" { } "${inputs.self.ociImage_pkgs.${system}.ociImage_pkgs_base.copyTo}/bin/copy-to dir:$out"; + ociImage_python-dev_base-as-dir = pkgs.runCommand "image-as-dir" { } "${inputs.self.ociImage_python-dev.${system}.ociImage_python-dev_base.copyTo}/bin/copy-to dir:$out"; }); diff --git a/python/Dockerfile b/python/Dockerfile index 8c48feb..d871a4a 100644 --- a/python/Dockerfile +++ b/python/Dockerfile @@ -1,4 +1,5 @@ -FROM holiodin01/python-base:v0.1.0 as base +ARG BASE_IMAGE=holiodin01/python-base@sha256:621e91c99e2e63f7449db891c63a4c81f6982a66c43aaac239cedae55766fad0 +FROM ${BASE_IMAGE} as build # Prevents Python from writing pyc files. ENV PYTHONDONTWRITEBYTECODE=1 diff --git a/python/bsf.hcl b/python/bsf.hcl index 8357c13..af64b19 100644 --- a/python/bsf.hcl +++ b/python/bsf.hcl @@ -1,6 +1,6 @@ packages { - development = ["coreutils-full@9.5", "python3@3.12.2", "poetry@1.8.2", "bash@5.2.15"] + development = ["bash@5.2.15", "coreutils-full@9.5", "cosign@~2.4.0", "grype@~0.80.2", "python3@~3.12.5", "poetry@~1.8.3"] runtime = ["cacert@3.95"] } diff --git a/python/bsf.lock b/python/bsf.lock index e97a395..db22107 100644 --- a/python/bsf.lock +++ b/python/bsf.lock @@ -216,16 +216,106 @@ }, "runtime": false }, + { + "package": { + "name": "cosign", + "revision": "2af19cfb6aa40768c4bbefd801a136270e099191", + "version": "2.4.0", + "description": "Container Signing CLI with support for ephemeral keys and Sigstore signing", + "homepage": "https://github.com/sigstore/cosign", + "free": true, + "spdx_id": "Apache-2.0", + "epoch_seconds": 1727301923, + "platforms": [ + "x86_64-darwin", + "i686-darwin", + "aarch64-darwin", + "armv7a-darwin", + "aarch64-linux", + "armv5tel-linux", + "armv6l-linux", + "armv7a-linux", + "armv7l-linux", + "i686-linux", + "loongarch64-linux", + "m68k-linux", + "microblaze-linux", + "microblazeel-linux", + "mips-linux", + "mips64-linux", + "mips64el-linux", + "mipsel-linux", + "powerpc64-linux", + "powerpc64le-linux", + "riscv32-linux", + "riscv64-linux", + "s390-linux", + "s390x-linux", + "x86_64-linux", + "wasm64-wasi", + "wasm32-wasi", + "i686-freebsd", + "x86_64-freebsd" + ], + "attr_name": "cosign" + }, + "runtime": false + }, + { + "package": { + "name": "grype", + "revision": "2af19cfb6aa40768c4bbefd801a136270e099191", + "version": "0.80.2", + "description": "Vulnerability scanner for container images and filesystems", + "homepage": "https://github.com/anchore/grype", + "free": true, + "spdx_id": "Apache-2.0", + "epoch_seconds": 1727301923, + "platforms": [ + "x86_64-darwin", + "i686-darwin", + "aarch64-darwin", + "armv7a-darwin", + "aarch64-linux", + "armv5tel-linux", + "armv6l-linux", + "armv7a-linux", + "armv7l-linux", + "i686-linux", + "loongarch64-linux", + "m68k-linux", + "microblaze-linux", + "microblazeel-linux", + "mips-linux", + "mips64-linux", + "mips64el-linux", + "mipsel-linux", + "powerpc64-linux", + "powerpc64le-linux", + "riscv32-linux", + "riscv64-linux", + "s390-linux", + "s390x-linux", + "x86_64-linux", + "wasm64-wasi", + "wasm32-wasi", + "i686-freebsd", + "x86_64-freebsd" + ], + "attr_name": "grype" + }, + "runtime": false + }, { "package": { "name": "poetry", - "revision": "d7570b04936e9b0f5268e0d834dee40368ad3308", - "version": "1.8.2", + "revision": "7445ccd775d8b892fc56448d17345443a05f7fb4", + "version": "1.8.3", "description": "Python dependency management and packaging made easy", "homepage": "https://python-poetry.org/", "free": true, "spdx_id": "MIT", - "epoch_seconds": 1709830921, + "epoch_seconds": 1716993062, "platforms": [ "aarch64-linux", "armv5tel-linux", @@ -264,13 +354,13 @@ { "package": { "name": "python3", - "revision": "d7570b04936e9b0f5268e0d834dee40368ad3308", - "version": "3.12.2", - "description": "A high-level dynamically-typed programming language", + "revision": "2af19cfb6aa40768c4bbefd801a136270e099191", + "version": "3.12.5", + "description": "High-level dynamically-typed programming language", "homepage": "https://www.python.org", "free": true, "spdx_id": "Python-2.0", - "epoch_seconds": 1709830921, + "epoch_seconds": 1727301923, "platforms": [ "aarch64-linux", "armv5tel-linux", @@ -300,9 +390,11 @@ "i686-cygwin", "x86_64-cygwin", "x86_64-windows", - "i686-windows" + "i686-windows", + "i686-freebsd", + "x86_64-freebsd" ], - "attr_name": "python312" + "attr_name": "python312Full" }, "runtime": false } diff --git a/python/bsf/flake.lock b/python/bsf/flake.lock index c1a9735..1bd1d11 100644 --- a/python/bsf/flake.lock +++ b/python/bsf/flake.lock @@ -18,6 +18,24 @@ "type": "github" } }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "nix-github-actions": { "inputs": { "nixpkgs": [ @@ -39,18 +57,36 @@ "type": "github" } }, + "nix2container": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1724996935, + "narHash": "sha256-njRK9vvZ1JJsP8oV2OgkBrpJhgQezI03S7gzskCcHos=", + "owner": "nlewo", + "repo": "nix2container", + "rev": "fa6bb0a1159f55d071ba99331355955ae30b3401", + "type": "github" + }, + "original": { + "owner": "nlewo", + "repo": "nix2container", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1724819573, - "narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=", - "owner": "nixos", + "lastModified": 1712920918, + "narHash": "sha256-1yxFvUcJfUphK9V91KufIQom7gCsztza0H4Rz2VCWUU=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "71e91c409d1e654808b2621f28a327acfdad8dc2", + "rev": "92323443a56f4e9fc4e4b712e3119f66d0969297", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", + "owner": "NixOS", "repo": "nixpkgs", "type": "github" } @@ -71,6 +107,22 @@ "type": "github" } }, + "nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191": { + "locked": { + "lastModified": 1727301923, + "narHash": "sha256-hZIzX7Qx9k1s+j5dDp20jgxJ0jTxX403/P6o1yJxi1k=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "2af19cfb6aa40768c4bbefd801a136270e099191", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "rev": "2af19cfb6aa40768c4bbefd801a136270e099191", + "type": "github" + } + }, "nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4": { "locked": { "lastModified": 1716993062, @@ -103,30 +155,30 @@ "type": "github" } }, - "nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308": { + "nixpkgs_2": { "locked": { - "lastModified": 1709830921, - "narHash": "sha256-B3vcPx6vEDgySFm6GaHZojpF/LEGVCoqRQNG4w8MqVg=", + "lastModified": 1724819573, + "narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d7570b04936e9b0f5268e0d834dee40368ad3308", + "rev": "71e91c409d1e654808b2621f28a327acfdad8dc2", "type": "github" }, "original": { "owner": "nixos", + "ref": "nixos-unstable", "repo": "nixpkgs", - "rev": "d7570b04936e9b0f5268e0d834dee40368ad3308", "type": "github" } }, "poetry2nix": { "inputs": { - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nix-github-actions": "nix-github-actions", "nixpkgs": [ "nixpkgs" ], - "systems": "systems_2", + "systems": "systems_3", "treefmt-nix": "treefmt-nix" }, "locked": { @@ -145,11 +197,12 @@ }, "root": { "inputs": { - "nixpkgs": "nixpkgs", + "nix2container": "nix2container", + "nixpkgs": "nixpkgs_2", "nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7": "nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7", + "nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191": "nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191", "nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4": "nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4", "nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14": "nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14", - "nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308": "nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308", "poetry2nix": "poetry2nix" } }, @@ -169,6 +222,21 @@ } }, "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", diff --git a/python/bsf/flake.nix b/python/bsf/flake.nix index 92b419c..d4108de 100644 --- a/python/bsf/flake.nix +++ b/python/bsf/flake.nix @@ -3,10 +3,10 @@ description = ""; inputs = { - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7.url = "github:nixos/nixpkgs/1ebb7d7bba2953a4223956cfb5f068b0095f84a7"; nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14.url = "github:nixos/nixpkgs/ac5c1886fd9fe49748d7ab80accc4c847481df14"; nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4.url = "github:nixos/nixpkgs/7445ccd775d8b892fc56448d17345443a05f7fb4"; - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308.url = "github:nixos/nixpkgs/d7570b04936e9b0f5268e0d834dee40368ad3308"; + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191.url = "github:nixos/nixpkgs/2af19cfb6aa40768c4bbefd801a136270e099191"; + nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7.url = "github:nixos/nixpkgs/1ebb7d7bba2953a4223956cfb5f068b0095f84a7"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; @@ -21,6 +21,7 @@ + nix2container.url = "github:nlewo/nix2container"; }; outputs = inputs@{ self, nixpkgs, @@ -28,22 +29,22 @@ poetry2nix, - - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7, + nix2container , nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4, - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308, + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191, + nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7, }: let supportedSystems = [ "x86_64-linux" "aarch64-darwin" "x86_64-darwin" "aarch64-linux" ]; forEachSupportedSystem = f: nixpkgs.lib.genAttrs supportedSystems (system: f { inherit system; - - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs = import nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7 { inherit system; }; + nix2containerPkgs = nix2container.packages.${system}; nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs = import nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14 { inherit system; }; nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs = import nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4 { inherit system; }; - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs = import nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308 { inherit system; }; + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs = import nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191 { inherit system; }; + nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs = import nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7 { inherit system; }; pkgs = import nixpkgs { inherit system; }; @@ -52,39 +53,24 @@ }); in { - packages = forEachSupportedSystem ({ pkgs, - - mkPoetryApplication, - - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, - nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, - nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs, - ... }: { - default = pkgs.callPackage ./default.nix { - - inherit mkPoetryApplication; - - - }; - }); - devShells = forEachSupportedSystem ({ pkgs, mkPoetryApplication, - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs, + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, + nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, ... }: { devShell = pkgs.mkShell { # The Nix packages provided in the environment packages = [ nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs.bash nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.coreutils-full - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.poetry - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.python312 + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.cosign + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.grype + nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.poetry + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.python312Full ]; }; @@ -94,7 +80,7 @@ mkPoetryApplication, - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs, ... }: { + nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, ... }: { runtime = pkgs.buildEnv { name = "runtimeenv"; paths = [ @@ -108,14 +94,16 @@ mkPoetryApplication, - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs, ... }: { + nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, ... }: { development = pkgs.buildEnv { name = "devenv"; paths = [ nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs.bash nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.coreutils-full - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.poetry - nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.python312 + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.cosign + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.grype + nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.poetry + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.python312Full ]; }; @@ -123,5 +111,45 @@ + + +ociImage_python-dev = forEachSupportedSystem ({ pkgs, nix2containerPkgs, system , nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, ... }: { + + + + ociImage_python-dev_base = nix2containerPkgs.nix2container.buildImage { + name = "docker.io/holiodin01/python-base"; + config = { + cmd = [ ]; + entrypoint = [ ]; + env = [ + + ]; + ExposedPorts = { + + }; + }; + maxLayers = 100; + layers = [ + (nix2containerPkgs.nix2container.buildLayer { + copyToRoot = [ + inputs.self.runtimeEnvs.${system}.runtime +inputs.self.devEnvs.${system}.development + ]; + }) + + ]; + }; + + + + + ociImage_python-dev_base-as-dir = pkgs.runCommand "image-as-dir" { } "${inputs.self.ociImage_python-dev.${system}.ociImage_python-dev_base.copyTo}/bin/copy-to dir:$out"; + + }); + + + + }; } diff --git a/python/poetry.lock b/python/poetry.lock index fdcded8..eba05a8 100644 --- a/python/poetry.lock +++ b/python/poetry.lock @@ -109,82 +109,83 @@ i18n = ["Babel (>=2.7)"] [[package]] name = "markupsafe" -version = "2.1.5" +version = "3.0.1" description = "Safely add untrusted strings to HTML/XML markup." optional = false -python-versions = ">=3.7" +python-versions = ">=3.9" files = [ - {file = "MarkupSafe-2.1.5-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:a17a92de5231666cfbe003f0e4b9b3a7ae3afb1ec2845aadc2bacc93ff85febc"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:72b6be590cc35924b02c78ef34b467da4ba07e4e0f0454a2c5907f473fc50ce5"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e61659ba32cf2cf1481e575d0462554625196a1f2fc06a1c777d3f48e8865d46"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2174c595a0d73a3080ca3257b40096db99799265e1c27cc5a610743acd86d62f"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ae2ad8ae6ebee9d2d94b17fb62763125f3f374c25618198f40cbb8b525411900"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:075202fa5b72c86ad32dc7d0b56024ebdbcf2048c0ba09f1cde31bfdd57bcfff"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:598e3276b64aff0e7b3451b72e94fa3c238d452e7ddcd893c3ab324717456bad"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:fce659a462a1be54d2ffcacea5e3ba2d74daa74f30f5f143fe0c58636e355fdd"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-win32.whl", hash = "sha256:d9fad5155d72433c921b782e58892377c44bd6252b5af2f67f16b194987338a4"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-win_amd64.whl", hash = "sha256:bf50cd79a75d181c9181df03572cdce0fbb75cc353bc350712073108cba98de5"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:629ddd2ca402ae6dbedfceeba9c46d5f7b2a61d9749597d4307f943ef198fc1f"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:5b7b716f97b52c5a14bffdf688f971b2d5ef4029127f1ad7a513973cfd818df2"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6ec585f69cec0aa07d945b20805be741395e28ac1627333b1c5b0105962ffced"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b91c037585eba9095565a3556f611e3cbfaa42ca1e865f7b8015fe5c7336d5a5"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7502934a33b54030eaf1194c21c692a534196063db72176b0c4028e140f8f32c"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:0e397ac966fdf721b2c528cf028494e86172b4feba51d65f81ffd65c63798f3f"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:c061bb86a71b42465156a3ee7bd58c8c2ceacdbeb95d05a99893e08b8467359a"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:3a57fdd7ce31c7ff06cdfbf31dafa96cc533c21e443d57f5b1ecc6cdc668ec7f"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-win32.whl", hash = "sha256:397081c1a0bfb5124355710fe79478cdbeb39626492b15d399526ae53422b906"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-win_amd64.whl", hash = "sha256:2b7c57a4dfc4f16f7142221afe5ba4e093e09e728ca65c51f5620c9aaeb9a617"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:8dec4936e9c3100156f8a2dc89c4b88d5c435175ff03413b443469c7c8c5f4d1"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:3c6b973f22eb18a789b1460b4b91bf04ae3f0c4234a0a6aa6b0a92f6f7b951d4"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ac07bad82163452a6884fe8fa0963fb98c2346ba78d779ec06bd7a6262132aee"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f5dfb42c4604dddc8e4305050aa6deb084540643ed5804d7455b5df8fe16f5e5"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ea3d8a3d18833cf4304cd2fc9cbb1efe188ca9b5efef2bdac7adc20594a0e46b"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:d050b3361367a06d752db6ead6e7edeb0009be66bc3bae0ee9d97fb326badc2a"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:bec0a414d016ac1a18862a519e54b2fd0fc8bbfd6890376898a6c0891dd82e9f"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:58c98fee265677f63a4385256a6d7683ab1832f3ddd1e66fe948d5880c21a169"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-win32.whl", hash = "sha256:8590b4ae07a35970728874632fed7bd57b26b0102df2d2b233b6d9d82f6c62ad"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-win_amd64.whl", hash = "sha256:823b65d8706e32ad2df51ed89496147a42a2a6e01c13cfb6ffb8b1e92bc910bb"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:c8b29db45f8fe46ad280a7294f5c3ec36dbac9491f2d1c17345be8e69cc5928f"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ec6a563cff360b50eed26f13adc43e61bc0c04d94b8be985e6fb24b81f6dcfdf"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a549b9c31bec33820e885335b451286e2969a2d9e24879f83fe904a5ce59d70a"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4f11aa001c540f62c6166c7726f71f7573b52c68c31f014c25cc7901deea0b52"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:7b2e5a267c855eea6b4283940daa6e88a285f5f2a67f2220203786dfa59b37e9"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:2d2d793e36e230fd32babe143b04cec8a8b3eb8a3122d2aceb4a371e6b09b8df"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:ce409136744f6521e39fd8e2a24c53fa18ad67aa5bc7c2cf83645cce5b5c4e50"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-win32.whl", hash = "sha256:4096e9de5c6fdf43fb4f04c26fb114f61ef0bf2e5604b6ee3019d51b69e8c371"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-win_amd64.whl", hash = "sha256:4275d846e41ecefa46e2015117a9f491e57a71ddd59bbead77e904dc02b1bed2"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:656f7526c69fac7f600bd1f400991cc282b417d17539a1b228617081106feb4a"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:97cafb1f3cbcd3fd2b6fbfb99ae11cdb14deea0736fc2b0952ee177f2b813a46"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1f3fbcb7ef1f16e48246f704ab79d79da8a46891e2da03f8783a5b6fa41a9532"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fa9db3f79de01457b03d4f01b34cf91bc0048eb2c3846ff26f66687c2f6d16ab"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ffee1f21e5ef0d712f9033568f8344d5da8cc2869dbd08d87c84656e6a2d2f68"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:5dedb4db619ba5a2787a94d877bc8ffc0566f92a01c0ef214865e54ecc9ee5e0"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:30b600cf0a7ac9234b2638fbc0fb6158ba5bdcdf46aeb631ead21248b9affbc4"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:8dd717634f5a044f860435c1d8c16a270ddf0ef8588d4887037c5028b859b0c3"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-win32.whl", hash = "sha256:daa4ee5a243f0f20d528d939d06670a298dd39b1ad5f8a72a4275124a7819eff"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-win_amd64.whl", hash = "sha256:619bc166c4f2de5caa5a633b8b7326fbe98e0ccbfacabd87268a2b15ff73a029"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:7a68b554d356a91cce1236aa7682dc01df0edba8d043fd1ce607c49dd3c1edcf"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:db0b55e0f3cc0be60c1f19efdde9a637c32740486004f20d1cff53c3c0ece4d2"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3e53af139f8579a6d5f7b76549125f0d94d7e630761a2111bc431fd820e163b8"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:17b950fccb810b3293638215058e432159d2b71005c74371d784862b7e4683f3"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4c31f53cdae6ecfa91a77820e8b151dba54ab528ba65dfd235c80b086d68a465"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:bff1b4290a66b490a2f4719358c0cdcd9bafb6b8f061e45c7a2460866bf50c2e"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:bc1667f8b83f48511b94671e0e441401371dfd0f0a795c7daa4a3cd1dde55bea"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:5049256f536511ee3f7e1b3f87d1d1209d327e818e6ae1365e8653d7e3abb6a6"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-win32.whl", hash = "sha256:00e046b6dd71aa03a41079792f8473dc494d564611a8f89bbbd7cb93295ebdcf"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-win_amd64.whl", hash = "sha256:fa173ec60341d6bb97a89f5ea19c85c5643c1e7dedebc22f5181eb73573142c5"}, - {file = "MarkupSafe-2.1.5.tar.gz", hash = "sha256:d283d37a890ba4c1ae73ffadf8046435c76e7bc2247bbb63c00bd1a709c6544b"}, + {file = "MarkupSafe-3.0.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:db842712984e91707437461930e6011e60b39136c7331e971952bb30465bc1a1"}, + {file = "MarkupSafe-3.0.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:3ffb4a8e7d46ed96ae48805746755fadd0909fea2306f93d5d8233ba23dda12a"}, + {file = "MarkupSafe-3.0.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:67c519635a4f64e495c50e3107d9b4075aec33634272b5db1cde839e07367589"}, + {file = "MarkupSafe-3.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:48488d999ed50ba8d38c581d67e496f955821dc183883550a6fbc7f1aefdc170"}, + {file = "MarkupSafe-3.0.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f31ae06f1328595d762c9a2bf29dafd8621c7d3adc130cbb46278079758779ca"}, + {file = "MarkupSafe-3.0.1-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:80fcbf3add8790caddfab6764bde258b5d09aefbe9169c183f88a7410f0f6dea"}, + {file = "MarkupSafe-3.0.1-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:3341c043c37d78cc5ae6e3e305e988532b072329639007fd408a476642a89fd6"}, + {file = "MarkupSafe-3.0.1-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:cb53e2a99df28eee3b5f4fea166020d3ef9116fdc5764bc5117486e6d1211b25"}, + {file = "MarkupSafe-3.0.1-cp310-cp310-win32.whl", hash = "sha256:db15ce28e1e127a0013dfb8ac243a8e392db8c61eae113337536edb28bdc1f97"}, + {file = "MarkupSafe-3.0.1-cp310-cp310-win_amd64.whl", hash = "sha256:4ffaaac913c3f7345579db4f33b0020db693f302ca5137f106060316761beea9"}, + {file = "MarkupSafe-3.0.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:26627785a54a947f6d7336ce5963569b5d75614619e75193bdb4e06e21d447ad"}, + {file = "MarkupSafe-3.0.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:b954093679d5750495725ea6f88409946d69cfb25ea7b4c846eef5044194f583"}, + {file = "MarkupSafe-3.0.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:973a371a55ce9ed333a3a0f8e0bcfae9e0d637711534bcb11e130af2ab9334e7"}, + {file = "MarkupSafe-3.0.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:244dbe463d5fb6d7ce161301a03a6fe744dac9072328ba9fc82289238582697b"}, + {file = "MarkupSafe-3.0.1-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d98e66a24497637dd31ccab090b34392dddb1f2f811c4b4cd80c230205c074a3"}, + {file = "MarkupSafe-3.0.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:ad91738f14eb8da0ff82f2acd0098b6257621410dcbd4df20aaa5b4233d75a50"}, + {file = "MarkupSafe-3.0.1-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:7044312a928a66a4c2a22644147bc61a199c1709712069a344a3fb5cfcf16915"}, + {file = "MarkupSafe-3.0.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:a4792d3b3a6dfafefdf8e937f14906a51bd27025a36f4b188728a73382231d91"}, + {file = "MarkupSafe-3.0.1-cp311-cp311-win32.whl", hash = "sha256:fa7d686ed9883f3d664d39d5a8e74d3c5f63e603c2e3ff0abcba23eac6542635"}, + {file = "MarkupSafe-3.0.1-cp311-cp311-win_amd64.whl", hash = "sha256:9ba25a71ebf05b9bb0e2ae99f8bc08a07ee8e98c612175087112656ca0f5c8bf"}, + {file = "MarkupSafe-3.0.1-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:8ae369e84466aa70f3154ee23c1451fda10a8ee1b63923ce76667e3077f2b0c4"}, + {file = "MarkupSafe-3.0.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:40f1e10d51c92859765522cbd79c5c8989f40f0419614bcdc5015e7b6bf97fc5"}, + {file = "MarkupSafe-3.0.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5a4cb365cb49b750bdb60b846b0c0bc49ed62e59a76635095a179d440540c346"}, + {file = "MarkupSafe-3.0.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ee3941769bd2522fe39222206f6dd97ae83c442a94c90f2b7a25d847d40f4729"}, + {file = "MarkupSafe-3.0.1-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:62fada2c942702ef8952754abfc1a9f7658a4d5460fabe95ac7ec2cbe0d02abc"}, + {file = "MarkupSafe-3.0.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:4c2d64fdba74ad16138300815cfdc6ab2f4647e23ced81f59e940d7d4a1469d9"}, + {file = "MarkupSafe-3.0.1-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:fb532dd9900381d2e8f48172ddc5a59db4c445a11b9fab40b3b786da40d3b56b"}, + {file = "MarkupSafe-3.0.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:0f84af7e813784feb4d5e4ff7db633aba6c8ca64a833f61d8e4eade234ef0c38"}, + {file = "MarkupSafe-3.0.1-cp312-cp312-win32.whl", hash = "sha256:cbf445eb5628981a80f54087f9acdbf84f9b7d862756110d172993b9a5ae81aa"}, + {file = "MarkupSafe-3.0.1-cp312-cp312-win_amd64.whl", hash = "sha256:a10860e00ded1dd0a65b83e717af28845bb7bd16d8ace40fe5531491de76b79f"}, + {file = "MarkupSafe-3.0.1-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:e81c52638315ff4ac1b533d427f50bc0afc746deb949210bc85f05d4f15fd772"}, + {file = "MarkupSafe-3.0.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:312387403cd40699ab91d50735ea7a507b788091c416dd007eac54434aee51da"}, + {file = "MarkupSafe-3.0.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2ae99f31f47d849758a687102afdd05bd3d3ff7dbab0a8f1587981b58a76152a"}, + {file = "MarkupSafe-3.0.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c97ff7fedf56d86bae92fa0a646ce1a0ec7509a7578e1ed238731ba13aabcd1c"}, + {file = "MarkupSafe-3.0.1-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a7420ceda262dbb4b8d839a4ec63d61c261e4e77677ed7c66c99f4e7cb5030dd"}, + {file = "MarkupSafe-3.0.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:45d42d132cff577c92bfba536aefcfea7e26efb975bd455db4e6602f5c9f45e7"}, + {file = "MarkupSafe-3.0.1-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:4c8817557d0de9349109acb38b9dd570b03cc5014e8aabf1cbddc6e81005becd"}, + {file = "MarkupSafe-3.0.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:6a54c43d3ec4cf2a39f4387ad044221c66a376e58c0d0e971d47c475ba79c6b5"}, + {file = "MarkupSafe-3.0.1-cp313-cp313-win32.whl", hash = "sha256:c91b394f7601438ff79a4b93d16be92f216adb57d813a78be4446fe0f6bc2d8c"}, + {file = "MarkupSafe-3.0.1-cp313-cp313-win_amd64.whl", hash = "sha256:fe32482b37b4b00c7a52a07211b479653b7fe4f22b2e481b9a9b099d8a430f2f"}, + {file = "MarkupSafe-3.0.1-cp313-cp313t-macosx_10_13_universal2.whl", hash = "sha256:17b2aea42a7280db02ac644db1d634ad47dcc96faf38ab304fe26ba2680d359a"}, + {file = "MarkupSafe-3.0.1-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:852dc840f6d7c985603e60b5deaae1d89c56cb038b577f6b5b8c808c97580f1d"}, + {file = "MarkupSafe-3.0.1-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0778de17cff1acaeccc3ff30cd99a3fd5c50fc58ad3d6c0e0c4c58092b859396"}, + {file = "MarkupSafe-3.0.1-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:800100d45176652ded796134277ecb13640c1a537cad3b8b53da45aa96330453"}, + {file = "MarkupSafe-3.0.1-cp313-cp313t-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d06b24c686a34c86c8c1fba923181eae6b10565e4d80bdd7bc1c8e2f11247aa4"}, + {file = "MarkupSafe-3.0.1-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:33d1c36b90e570ba7785dacd1faaf091203d9942bc036118fab8110a401eb1a8"}, + {file = "MarkupSafe-3.0.1-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:beeebf760a9c1f4c07ef6a53465e8cfa776ea6a2021eda0d0417ec41043fe984"}, + {file = "MarkupSafe-3.0.1-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:bbde71a705f8e9e4c3e9e33db69341d040c827c7afa6789b14c6e16776074f5a"}, + {file = "MarkupSafe-3.0.1-cp313-cp313t-win32.whl", hash = "sha256:82b5dba6eb1bcc29cc305a18a3c5365d2af06ee71b123216416f7e20d2a84e5b"}, + {file = "MarkupSafe-3.0.1-cp313-cp313t-win_amd64.whl", hash = "sha256:730d86af59e0e43ce277bb83970530dd223bf7f2a838e086b50affa6ec5f9295"}, + {file = "MarkupSafe-3.0.1-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:4935dd7883f1d50e2ffecca0aa33dc1946a94c8f3fdafb8df5c330e48f71b132"}, + {file = "MarkupSafe-3.0.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:e9393357f19954248b00bed7c56f29a25c930593a77630c719653d51e7669c2a"}, + {file = "MarkupSafe-3.0.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:40621d60d0e58aa573b68ac5e2d6b20d44392878e0bfc159012a5787c4e35bc8"}, + {file = "MarkupSafe-3.0.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f94190df587738280d544971500b9cafc9b950d32efcb1fba9ac10d84e6aa4e6"}, + {file = "MarkupSafe-3.0.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b6a387d61fe41cdf7ea95b38e9af11cfb1a63499af2759444b99185c4ab33f5b"}, + {file = "MarkupSafe-3.0.1-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:8ad4ad1429cd4f315f32ef263c1342166695fad76c100c5d979c45d5570ed58b"}, + {file = "MarkupSafe-3.0.1-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:e24bfe89c6ac4c31792793ad9f861b8f6dc4546ac6dc8f1c9083c7c4f2b335cd"}, + {file = "MarkupSafe-3.0.1-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:2a4b34a8d14649315c4bc26bbfa352663eb51d146e35eef231dd739d54a5430a"}, + {file = "MarkupSafe-3.0.1-cp39-cp39-win32.whl", hash = "sha256:242d6860f1fd9191aef5fae22b51c5c19767f93fb9ead4d21924e0bcb17619d8"}, + {file = "MarkupSafe-3.0.1-cp39-cp39-win_amd64.whl", hash = "sha256:93e8248d650e7e9d49e8251f883eed60ecbc0e8ffd6349e18550925e31bd029b"}, + {file = "markupsafe-3.0.1.tar.gz", hash = "sha256:3e683ee4f5d0fa2dde4db77ed8dd8a876686e3fc417655c2ece9a90576905344"}, ] [[package]] name = "packaging" -version = "24.0" +version = "24.1" description = "Core utilities for Python packages" optional = false -python-versions = ">=3.7" +python-versions = ">=3.8" files = [ - {file = "packaging-24.0-py3-none-any.whl", hash = "sha256:2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5"}, - {file = "packaging-24.0.tar.gz", hash = "sha256:eb82c5e3e56209074766e6885bb04b8c38a0c015d0a30036ebe7ece34c9989e9"}, + {file = "packaging-24.1-py3-none-any.whl", hash = "sha256:5b8f2217dbdbd2f7f384c41c628544e6d52f2d0f53c6d0c3ea61aa5d1d7ff124"}, + {file = "packaging-24.1.tar.gz", hash = "sha256:026ed72c8ed3fcce5bf8950572258698927fd1dbda10a5e981cdf0ac37f4f002"}, ] [[package]] @@ -270,13 +271,13 @@ files = [ [[package]] name = "werkzeug" -version = "3.0.3" +version = "3.0.4" description = "The comprehensive WSGI web application library." optional = false python-versions = ">=3.8" files = [ - {file = "werkzeug-3.0.3-py3-none-any.whl", hash = "sha256:fc9645dc43e03e4d630d23143a04a7f947a9a3b5727cd535fdfe155a17cc48c8"}, - {file = "werkzeug-3.0.3.tar.gz", hash = "sha256:097e5bfda9f0aba8da6b8545146def481d06aa7d3266e7448e2cccf67dd8bd18"}, + {file = "werkzeug-3.0.4-py3-none-any.whl", hash = "sha256:02c9eb92b7d6c06f31a782811505d2157837cea66aaede3e217c7c27c039476c"}, + {file = "werkzeug-3.0.4.tar.gz", hash = "sha256:34f2371506b250df4d4f84bfe7b0921e4762525762bbd936614909fe25cd7306"}, ] [package.dependencies] diff --git a/rust/Dockerfile b/rust/Dockerfile index 36f37c1..7784890 100644 --- a/rust/Dockerfile +++ b/rust/Dockerfile @@ -7,10 +7,13 @@ # Want to help us make this template better? Share your feedback here: https://forms.gle/ybq9Krt8jtBL3iCk7 ARG APP_NAME=rust-todo +ARG BASE_IMAGE=holiodin01/rust-base-dev@sha256:440df27515e7df74bf87d402d1a6b05e89194c589074f7db478042db6fd9f14b +ARG RUNTIME_IMAGE=holiodin01/rust-base-runtime@sha256:358e62768a95e793aee2d019b314967ef22bc48cb0aef878ff98ba6e6a2bdcce ############################# # Create a stage for building the application. -FROM holiodin01/rust-base-dev:v0.1.0 AS build +FROM ${BASE_IMAGE} AS build +# FROM holiodin01/rust-base-dev:v0.1.0 AS build RUN mkdir -p /tmp ARG APP_NAME WORKDIR /app @@ -28,7 +31,7 @@ cp ./target/release/$APP_NAME /bin/todo # image from the build stage where the necessary files are copied from the build # stage. -FROM holiodin01/rust-base-runtime:v0.1.0 AS final +FROM ${RUNTIME_IMAGE} AS final # Copy the executable from the "build" stage. COPY --from=build /bin/todo /bin/ diff --git a/rust/bsf.hcl b/rust/bsf.hcl index db21195..9dec15f 100644 --- a/rust/bsf.hcl +++ b/rust/bsf.hcl @@ -1,13 +1,30 @@ packages { - development = ["coreutils-full@9.5", "bash@5.2.15", "cargo@1.75.0", "rustc@~1.73.0", "libiconv@~1.17", "clang-wrapper@~18.1.8"] + development = ["coreutils-full@9.5", "bash@5.2.15", "cargo@1.75.0", "rustc@~1.73.0", "grype@~0.80.2", "libiconv@~1.17", "clang-wrapper@~18.1.8"] runtime = ["cacert@3.95", "patchelf@~0.18.0-unstable-2024-06-15"] } +rustapp { + workspaceSrc = "./." + projectName = "rust-todo" + release = true + rustVersion = "1.75.0" + rustToolchain = "" + rustChannel = "" + rustProfile = "" + rootFeatures = null + fetchCrateAlternativeRegistry = "" + hostPlatformCPU = "" + hostPlatformFeatures = null + extraRustComponents = null + cargoUnstableFlags = null + rustcLinkFlags = null + rustcBuildFlags = null +} oci "rust-dev" { name = "docker.io/holiodin01/rust-base-dev" - layers = ["split(packages.runtime)", "split(packages.dev)"] + layers = ["packages.dev"] isBase = true cmd = [] entrypoint = [] @@ -15,10 +32,9 @@ oci "rust-dev" { exposedPorts = [] importConfigs = [] } - oci "rust-runtime" { name = "docker.io/holiodin01/rust-base-runtime" - layers = ["split(packages.runtime)", "split(packages.dev)"] + layers = ["packages.runtime"] isBase = true cmd = [] entrypoint = [] diff --git a/rust/bsf.lock b/rust/bsf.lock index 2cc85fb..6f02451 100644 --- a/rust/bsf.lock +++ b/rust/bsf.lock @@ -1,6 +1,6 @@ { "app": { - "name": "" + "name": "rust-todo" }, "packages": [ { @@ -352,6 +352,51 @@ }, "runtime": false }, + { + "package": { + "name": "grype", + "revision": "2af19cfb6aa40768c4bbefd801a136270e099191", + "version": "0.80.2", + "description": "Vulnerability scanner for container images and filesystems", + "homepage": "https://github.com/anchore/grype", + "free": true, + "spdx_id": "Apache-2.0", + "epoch_seconds": 1727301923, + "platforms": [ + "x86_64-darwin", + "i686-darwin", + "aarch64-darwin", + "armv7a-darwin", + "aarch64-linux", + "armv5tel-linux", + "armv6l-linux", + "armv7a-linux", + "armv7l-linux", + "i686-linux", + "loongarch64-linux", + "m68k-linux", + "microblaze-linux", + "microblazeel-linux", + "mips-linux", + "mips64-linux", + "mips64el-linux", + "mipsel-linux", + "powerpc64-linux", + "powerpc64le-linux", + "riscv32-linux", + "riscv64-linux", + "s390-linux", + "s390x-linux", + "x86_64-linux", + "wasm64-wasi", + "wasm32-wasi", + "i686-freebsd", + "x86_64-freebsd" + ], + "attr_name": "grype" + }, + "runtime": false + }, { "package": { "name": "libiconv", diff --git a/rust/bsf/default.nix b/rust/bsf/default.nix index e69de29..2f0a44d 100644 --- a/rust/bsf/default.nix +++ b/rust/bsf/default.nix @@ -0,0 +1,4 @@ + + {pkgs,rustPkgs}: + (rustPkgs pkgs).workspace.rust-todo {} + \ No newline at end of file diff --git a/rust/bsf/flake.lock b/rust/bsf/flake.lock index 7dbb860..95e140b 100644 --- a/rust/bsf/flake.lock +++ b/rust/bsf/flake.lock @@ -1,9 +1,65 @@ { "nodes": { + "cargo2nix": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1705129117, + "narHash": "sha256-LgdDHibvimzYhxBK3kxCk2gAL7k4Hyigl5KI0X9cijA=", + "owner": "cargo2nix", + "repo": "cargo2nix", + "rev": "ae19a9e1f8f0880c088ea155ab66cee1fa001f59", + "type": "github" + }, + "original": { + "owner": "cargo2nix", + "ref": "release-0.11.0", + "repo": "cargo2nix", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, "locked": { "lastModified": 1710146030, "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", @@ -20,8 +76,8 @@ }, "nix2container": { "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs" + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1724996935, @@ -39,15 +95,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1712920918, - "narHash": "sha256-1yxFvUcJfUphK9V91KufIQom7gCsztza0H4Rz2VCWUU=", - "owner": "NixOS", + "lastModified": 1705099185, + "narHash": "sha256-SxJenKtvcrKJd0TyJQMO3p6VA7PEp+vmMnmlKFzWMNs=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "92323443a56f4e9fc4e4b712e3119f66d0969297", + "rev": "2bce5ccff0ad7abda23e8bb56434b6877a446694", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "nixos", + "ref": "release-23.11", "repo": "nixpkgs", "type": "github" } @@ -116,47 +173,58 @@ "type": "github" } }, - "nixpkgs-d919897915f0f91216d2501b617d670deee993a0": { - "locked": { - "lastModified": 1720764143, - "narHash": "sha256-7YeouCB08A2H7IrJGIdJwwUTlVnbh2vBZeNMw+STJzQ=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "d919897915f0f91216d2501b617d670deee993a0", - "type": "github" - }, - "original": { - "owner": "nixos", - "repo": "nixpkgs", - "rev": "d919897915f0f91216d2501b617d670deee993a0", - "type": "github" - } - }, "nixpkgs_2": { "locked": { - "lastModified": 1724819573, - "narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=", - "owner": "nixos", + "lastModified": 1712920918, + "narHash": "sha256-1yxFvUcJfUphK9V91KufIQom7gCsztza0H4Rz2VCWUU=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "71e91c409d1e654808b2621f28a327acfdad8dc2", + "rev": "92323443a56f4e9fc4e4b712e3119f66d0969297", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", + "owner": "NixOS", "repo": "nixpkgs", "type": "github" } }, "root": { "inputs": { + "cargo2nix": "cargo2nix", "nix2container": "nix2container", - "nixpkgs": "nixpkgs_2", + "nixpkgs": [ + "cargo2nix", + "nixpkgs" + ], "nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7": "nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7", "nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4": "nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4", "nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746": "nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746", - "nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14": "nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14", - "nixpkgs-d919897915f0f91216d2501b617d670deee993a0": "nixpkgs-d919897915f0f91216d2501b617d670deee993a0" + "nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14": "nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14" + } + }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "cargo2nix", + "flake-utils" + ], + "nixpkgs": [ + "cargo2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1705112162, + "narHash": "sha256-IAM0+Uijh/fwlfoeDrOwau9MxcZW3zeDoUHc6Z3xfqM=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "9e0af26ffe52bf955ad5575888f093e41fba0104", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" } }, "systems": { @@ -173,6 +241,21 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/rust/bsf/flake.nix b/rust/bsf/flake.nix index 97e35f4..fe374fe 100644 --- a/rust/bsf/flake.nix +++ b/rust/bsf/flake.nix @@ -3,11 +3,12 @@ description = ""; inputs = { - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7.url = "github:nixos/nixpkgs/1ebb7d7bba2953a4223956cfb5f068b0095f84a7"; nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14.url = "github:nixos/nixpkgs/ac5c1886fd9fe49748d7ab80accc4c847481df14"; nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746.url = "github:nixos/nixpkgs/a731d0cb71c58f56895f71a5b02eda2962a46746"; nixpkgs-d919897915f0f91216d2501b617d670deee993a0.url = "github:nixos/nixpkgs/d919897915f0f91216d2501b617d670deee993a0"; nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4.url = "github:nixos/nixpkgs/7445ccd775d8b892fc56448d17345443a05f7fb4"; + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191.url = "github:nixos/nixpkgs/2af19cfb6aa40768c4bbefd801a136270e099191"; + nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7.url = "github:nixos/nixpkgs/1ebb7d7bba2953a4223956cfb5f068b0095f84a7"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; @@ -15,6 +16,8 @@ + cargo2nix.url = "github:cargo2nix/cargo2nix/release-0.11.0"; + nixpkgs.follows = "cargo2nix/nixpkgs"; @@ -25,29 +28,49 @@ outputs = inputs@{ self, nixpkgs, - + cargo2nix, nix2container , - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14, nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746, nixpkgs-d919897915f0f91216d2501b617d670deee993a0, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4, + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191, + nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7, }: let supportedSystems = [ "x86_64-linux" "aarch64-darwin" "x86_64-darwin" "aarch64-linux" ]; + rustPkgs = pkgs: pkgs.rustBuilder.makePackageSet { + packageFun = import ./Cargo.nix; + workspaceSrc = ../.; + + rustVersion = "1.75.0"; + + + + + + + + + + + + + }; forEachSupportedSystem = f: nixpkgs.lib.genAttrs supportedSystems (system: f { inherit system; nix2containerPkgs = nix2container.packages.${system}; - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs = import nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7 { inherit system; }; nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs = import nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14 { inherit system; }; nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs = import nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746 { inherit system; }; nixpkgs-d919897915f0f91216d2501b617d670deee993a0-pkgs = import nixpkgs-d919897915f0f91216d2501b617d670deee993a0 { inherit system; }; nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs = import nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4 { inherit system; }; + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs = import nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191 { inherit system; }; + nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs = import nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7 { inherit system; }; - pkgs = import nixpkgs { inherit system; }; + pkgs = import nixpkgs { inherit system; overlays = [cargo2nix.overlays.default]; }; }); @@ -57,11 +80,12 @@ - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs, nixpkgs-d919897915f0f91216d2501b617d670deee993a0-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, + nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, ... }: { devShell = pkgs.mkShell { # The Nix packages provided in the environment @@ -70,6 +94,7 @@ nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs.cargo nixpkgs-d919897915f0f91216d2501b617d670deee993a0-pkgs.clang_18 nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.coreutils-full + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.grype nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs.libiconv nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs.rustc @@ -81,7 +106,7 @@ - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs, nixpkgs-d919897915f0f91216d2501b617d670deee993a0-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, ... }: { + nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs, nixpkgs-d919897915f0f91216d2501b617d670deee993a0-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, ... }: { runtime = pkgs.buildEnv { name = "runtimeenv"; paths = [ @@ -96,7 +121,7 @@ - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs, nixpkgs-d919897915f0f91216d2501b617d670deee993a0-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, ... }: { + nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs, nixpkgs-d919897915f0f91216d2501b617d670deee993a0-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, ... }: { development = pkgs.buildEnv { name = "devenv"; paths = [ @@ -104,6 +129,7 @@ nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs.cargo nixpkgs-d919897915f0f91216d2501b617d670deee993a0-pkgs.clang_18 nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.coreutils-full + nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.grype nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs.libiconv nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs.rustc @@ -115,7 +141,7 @@ -ociImage_rust-dev = forEachSupportedSystem ({ pkgs, nix2containerPkgs, system , nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs, nixpkgs-d919897915f0f91216d2501b617d670deee993a0-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, ... }: { +ociImage_rust-dev = forEachSupportedSystem ({ pkgs, nix2containerPkgs, system , nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs, nixpkgs-d919897915f0f91216d2501b617d670deee993a0-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, ... }: { @@ -135,35 +161,7 @@ ociImage_rust-dev = forEachSupportedSystem ({ pkgs, nix2containerPkgs, system , layers = [ (nix2containerPkgs.nix2container.buildLayer { copyToRoot = [ - nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs.cacert - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-d919897915f0f91216d2501b617d670deee993a0-pkgs.patchelfUnstable - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-d919897915f0f91216d2501b617d670deee993a0-pkgs.clang_18 - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.coreutils-full - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs.libiconv - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs.rustc - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs.bash - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs.cargo + inputs.self.devEnvs.${system}.development ]; }) @@ -177,7 +175,7 @@ ociImage_rust-dev = forEachSupportedSystem ({ pkgs, nix2containerPkgs, system , }); -ociImage_rust-runtime = forEachSupportedSystem ({ pkgs, nix2containerPkgs, system , nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs, nixpkgs-d919897915f0f91216d2501b617d670deee993a0-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, ... }: { +ociImage_rust-runtime = forEachSupportedSystem ({ pkgs, nix2containerPkgs, system , nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs, nixpkgs-d919897915f0f91216d2501b617d670deee993a0-pkgs, nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, ... }: { @@ -197,35 +195,7 @@ ociImage_rust-runtime = forEachSupportedSystem ({ pkgs, nix2containerPkgs, syste layers = [ (nix2containerPkgs.nix2container.buildLayer { copyToRoot = [ - nixpkgs-d919897915f0f91216d2501b617d670deee993a0-pkgs.patchelfUnstable - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs.cacert - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs.bash - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs.cargo - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-d919897915f0f91216d2501b617d670deee993a0-pkgs.clang_18 - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.coreutils-full - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-a731d0cb71c58f56895f71a5b02eda2962a46746-pkgs.libiconv - ]; - }) (nix2containerPkgs.nix2container.buildLayer { - copyToRoot = [ - nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs.rustc + inputs.self.runtimeEnvs.${system}.runtime ]; }) diff --git a/rust/output-folder b/rust/output-folder new file mode 100644 index 0000000..e69de29