-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathstapeln.toml
More file actions
105 lines (87 loc) · 2.93 KB
/
stapeln.toml
File metadata and controls
105 lines (87 loc) · 2.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# SPDX-License-Identifier: PMPL-1.0-or-later
# stapeln.toml — Layer-based container build for http-capability-gateway
#
# stapeln builds containers as composable layers (German: "to stack").
# Each layer is independently cacheable, verifiable, and signable.
[metadata]
name = "http-capability-gateway"
version = "0.1.0"
description = "http-capability-gateway container service"
author = "Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>"
license = "PMPL-1.0-or-later"
registry = "ghcr.io/hyperpolymath"
[build]
containerfile = "Containerfile"
context = "."
runtime = "podman"
# ── Layer Definitions ──────────────────────────────────────────
[layers.base]
description = "Chainguard Wolfi minimal base"
from = "cgr.dev/chainguard/wolfi-base:latest"
cache = true
verify = true
[layers.elixir-toolchain]
description = "Elixir/OTP runtime"
extends = "base"
packages = ["erl27-elixir-1.18", "erlang-27", "git", "build-base"]
cache = true
[layers.elixir-deps]
description = "Mix dependency fetch"
extends = "elixir-toolchain"
env = { MIX_ENV = "prod" }
commands = [
"mix local.hex --force",
"mix local.rebar --force",
"mix deps.get --only prod",
"mix compile",
]
cache-key = "mix.lock"
cache = true
[layers.build]
description = "http-capability-gateway Elixir release"
extends = "elixir-deps"
commands = ["mix release"]
artifacts = [
{ src = "_build/prod/rel/http-capability-gateway", dst = "/app/http-capability-gateway/" },
]
[layers.runtime]
description = "Minimal runtime"
from = "cgr.dev/chainguard/wolfi-base:latest"
packages = ["ca-certificates", "curl"]
copy-from = [
{ layer = "build", src = "/app/", dst = "/app/" },
]
entrypoint = ["["bin/http_capability_gateway", "start"]"]
user = "gateway"
expose = [4000]
env = { MIX_ENV = "prod" }
# ── Security ───────────────────────────────────────────────────
[security]
non-root = true
read-only-root = false
no-new-privileges = true
cap-drop = ["ALL"]
seccomp-profile = "default"
[security.signing]
algorithm = "ML-DSA-87"
provider = "cerro-torre"
[security.sbom]
format = "spdx-json"
output = "sbom.spdx.json"
include-deps = true
# ── Verification ───────────────────────────────────────────────
[verify]
vordr = true
svalinn = true
scan-on-build = true
fail-on = ["critical", "high"]
# ── Targets ────────────────────────────────────────────────────
[targets.development]
layers = ["base", "elixir-toolchain", "build"]
env = { LOG_LEVEL = "debug" }
[targets.production]
layers = ["runtime"]
env = { LOG_LEVEL = "info" }
[targets.test]
layers = ["base", "elixir-toolchain", "build"]
env = { LOG_LEVEL = "debug" }