|
| 1 | +# SPDX-License-Identifier: PMPL-1.0-or-later |
| 2 | +# stapeln.toml — Layer-based container build for zerostep |
| 3 | +# |
| 4 | +# stapeln builds containers as composable layers (German: "to stack"). |
| 5 | +# Each layer is independently cacheable, verifiable, and signable. |
| 6 | + |
| 7 | +[metadata] |
| 8 | +name = "zerostep" |
| 9 | +version = "0.1.0" |
| 10 | +description = "zerostep container service" |
| 11 | +author = "Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>" |
| 12 | +license = "PMPL-1.0-or-later" |
| 13 | +registry = "ghcr.io/hyperpolymath" |
| 14 | + |
| 15 | +[build] |
| 16 | +containerfile = "Containerfile" |
| 17 | +context = "." |
| 18 | +runtime = "podman" |
| 19 | + |
| 20 | +# ── Layer Definitions ────────────────────────────────────────── |
| 21 | + |
| 22 | +[layers.base] |
| 23 | +description = "Chainguard Wolfi minimal base" |
| 24 | +from = "cgr.dev/chainguard/wolfi-base:latest" |
| 25 | +cache = true |
| 26 | +verify = true |
| 27 | + |
| 28 | +[layers.rust-toolchain] |
| 29 | +description = "Rust compiler and build dependencies" |
| 30 | +extends = "base" |
| 31 | +packages = ["rust", "pkgconf", "build-base"] |
| 32 | +cache = true |
| 33 | + |
| 34 | +[layers.rust-deps] |
| 35 | +description = "Cargo dependency fetch" |
| 36 | +extends = "rust-toolchain" |
| 37 | +commands = ["cargo fetch --locked"] |
| 38 | +cache-key = "Cargo.lock" |
| 39 | +cache = true |
| 40 | + |
| 41 | +[layers.build] |
| 42 | +description = "zerostep Rust compilation" |
| 43 | +extends = "rust-deps" |
| 44 | +commands = ["cargo build --release"] |
| 45 | +artifacts = [ |
| 46 | + { src = "target/release/zerostep", dst = "/app/zerostep" }, |
| 47 | +] |
| 48 | + |
| 49 | +[layers.runtime] |
| 50 | +description = "Minimal runtime" |
| 51 | +from = "cgr.dev/chainguard/wolfi-base:latest" |
| 52 | +packages = ["ca-certificates", "curl"] |
| 53 | +copy-from = [ |
| 54 | + { layer = "build", src = "/app/", dst = "/app/" }, |
| 55 | +] |
| 56 | +entrypoint = ["["/app/vae-normalizer"]"] |
| 57 | +user = "vae" |
| 58 | + |
| 59 | +# ── Security ─────────────────────────────────────────────────── |
| 60 | + |
| 61 | +[security] |
| 62 | +non-root = true |
| 63 | +read-only-root = false |
| 64 | +no-new-privileges = true |
| 65 | +cap-drop = ["ALL"] |
| 66 | +seccomp-profile = "default" |
| 67 | + |
| 68 | +[security.signing] |
| 69 | +algorithm = "ML-DSA-87" |
| 70 | +provider = "cerro-torre" |
| 71 | + |
| 72 | +[security.sbom] |
| 73 | +format = "spdx-json" |
| 74 | +output = "sbom.spdx.json" |
| 75 | +include-deps = true |
| 76 | + |
| 77 | +# ── Verification ─────────────────────────────────────────────── |
| 78 | + |
| 79 | +[verify] |
| 80 | +vordr = true |
| 81 | +svalinn = true |
| 82 | +scan-on-build = true |
| 83 | +fail-on = ["critical", "high"] |
| 84 | + |
| 85 | +# ── Targets ──────────────────────────────────────────────────── |
| 86 | + |
| 87 | +[targets.development] |
| 88 | +layers = ["base", "rust-toolchain", "build"] |
| 89 | +env = { LOG_LEVEL = "debug" } |
| 90 | + |
| 91 | +[targets.production] |
| 92 | +layers = ["runtime"] |
| 93 | +env = { LOG_LEVEL = "info" } |
| 94 | + |
| 95 | +[targets.test] |
| 96 | +layers = ["base", "rust-toolchain", "build"] |
| 97 | +env = { LOG_LEVEL = "debug" } |
0 commit comments