-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathstapeln.toml
More file actions
99 lines (81 loc) · 2.77 KB
/
stapeln.toml
File metadata and controls
99 lines (81 loc) · 2.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# SPDX-License-Identifier: PMPL-1.0-or-later
# stapeln.toml — Layer-based container build for echidna
#
# stapeln builds containers as composable layers (German: "to stack").
# Each layer is independently cacheable, verifiable, and signable.
[metadata]
name = "echidna"
version = "0.1.0"
description = "echidna container service"
author = "Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>"
license = "PMPL-1.0-or-later"
registry = "ghcr.io/hyperpolymath"
[build]
containerfile = "Containerfile"
context = "."
runtime = "podman"
# ── Layer Definitions ──────────────────────────────────────────
[layers.base]
description = "Chainguard Wolfi minimal base"
from = "cgr.dev/chainguard/wolfi-base:latest"
cache = true
verify = true
[layers.rust-toolchain]
description = "Rust compiler and build dependencies"
extends = "base"
packages = ["rust", "pkgconf", "build-base"]
cache = true
[layers.rust-deps]
description = "Cargo dependency fetch"
extends = "rust-toolchain"
commands = ["cargo fetch --locked"]
cache-key = "Cargo.lock"
cache = true
[layers.build]
description = "echidna Rust compilation"
extends = "rust-deps"
commands = ["cargo build --release"]
artifacts = [
{ src = "target/release/echidna", dst = "/app/echidna" },
]
[layers.runtime]
description = "Minimal runtime"
from = "cgr.dev/chainguard/wolfi-base:latest"
packages = ["ca-certificates", "curl"]
copy-from = [
{ layer = "build", src = "/app/", dst = "/app/" },
]
entrypoint = ["["/app/bin/echidna"]"]
user = "echidna"
expose = [8081]
env = { PATH = "/app/bin:/opt/elan/toolchains/stable/bin:${PATH}", ECHIDNA_PROVER_PATH = "/opt" }
# ── Security ───────────────────────────────────────────────────
[security]
non-root = true
read-only-root = false
no-new-privileges = true
cap-drop = ["ALL"]
seccomp-profile = "default"
[security.signing]
algorithm = "ML-DSA-87"
provider = "cerro-torre"
[security.sbom]
format = "spdx-json"
output = "sbom.spdx.json"
include-deps = true
# ── Verification ───────────────────────────────────────────────
[verify]
vordr = true
svalinn = true
scan-on-build = true
fail-on = ["critical", "high"]
# ── Targets ────────────────────────────────────────────────────
[targets.development]
layers = ["base", "rust-toolchain", "build"]
env = { LOG_LEVEL = "debug" }
[targets.production]
layers = ["runtime"]
env = { LOG_LEVEL = "info" }
[targets.test]
layers = ["base", "rust-toolchain", "build"]
env = { LOG_LEVEL = "debug" }