|
| 1 | +# SPDX-License-Identifier: PMPL-1.0-or-later |
| 2 | +# stapeln.toml — Layer-based container build for universal-language-server-plugin |
| 3 | +# |
| 4 | +# stapeln builds containers as composable layers (German: "to stack"). |
| 5 | +# Each layer is independently cacheable, verifiable, and signable. |
| 6 | + |
| 7 | +[metadata] |
| 8 | +name = "universal-language-server-plugin" |
| 9 | +version = "0.1.0" |
| 10 | +description = "universal language server plugin" |
| 11 | +author = "Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>" |
| 12 | +license = "PMPL-1.0-or-later" |
| 13 | +registry = "ghcr.io/hyperpolymath" |
| 14 | + |
| 15 | +[build] |
| 16 | +containerfile = "Containerfile" |
| 17 | +context = "." |
| 18 | +runtime = "podman" |
| 19 | + |
| 20 | +# ── Layer Definitions ────────────────────────────────────────── |
| 21 | + |
| 22 | +[layers.base] |
| 23 | +description = "Chainguard Wolfi minimal base" |
| 24 | +from = "cgr.dev/chainguard/wolfi-base:latest" |
| 25 | +cache = true |
| 26 | +verify = true |
| 27 | + |
| 28 | +[layers.toolchain] |
| 29 | +description = "Build tools and dependencies" |
| 30 | +extends = "base" |
| 31 | +packages = ["julia"] |
| 32 | +cache = true |
| 33 | + |
| 34 | +[layers.build] |
| 35 | +description = "universal-language-server-plugin build" |
| 36 | +extends = "toolchain" |
| 37 | +commands = ["julia --project=. -e \"using Pkg; Pkg.instantiate()\""] |
| 38 | + |
| 39 | +[layers.runtime] |
| 40 | +description = "Minimal runtime" |
| 41 | +from = "cgr.dev/chainguard/wolfi-base:latest" |
| 42 | +packages = ["ca-certificates", "curl"] |
| 43 | +copy-from = [ |
| 44 | + { layer = "build", src = "/app/", dst = "/app/" }, |
| 45 | +] |
| 46 | +entrypoint = ["/app/bin/universal-language-server-plugin"] |
| 47 | +user = "nonroot" |
| 48 | + |
| 49 | +# ── Security ─────────────────────────────────────────────────── |
| 50 | + |
| 51 | +[security] |
| 52 | +non-root = true |
| 53 | +read-only-root = false |
| 54 | +no-new-privileges = true |
| 55 | +cap-drop = ["ALL"] |
| 56 | +seccomp-profile = "default" |
| 57 | + |
| 58 | +[security.signing] |
| 59 | +algorithm = "ML-DSA-87" |
| 60 | +provider = "cerro-torre" |
| 61 | + |
| 62 | +[security.sbom] |
| 63 | +format = "spdx-json" |
| 64 | +output = "sbom.spdx.json" |
| 65 | +include-deps = true |
| 66 | + |
| 67 | +# ── Verification ────────────────────────────────────────────── |
| 68 | + |
| 69 | +[verify] |
| 70 | +vordr = true |
| 71 | +svalinn = true |
| 72 | +scan-on-build = true |
| 73 | +fail-on = ["critical", "high"] |
| 74 | + |
| 75 | +# ── Targets ─────────────────────────────────────────────────── |
| 76 | + |
| 77 | +[targets.development] |
| 78 | +description = "Full development environment" |
| 79 | +layers = ["base", "toolchain", "build"] |
| 80 | +env = { LOG_LEVEL = "debug" } |
| 81 | + |
| 82 | +[targets.production] |
| 83 | +description = "Production deployment" |
| 84 | +layers = ["runtime"] |
| 85 | +env = { LOG_LEVEL = "info" } |
| 86 | + |
| 87 | +[targets.test] |
| 88 | +description = "Test environment" |
| 89 | +layers = ["base", "toolchain", "build"] |
| 90 | +env = { LOG_LEVEL = "debug" } |
0 commit comments