replace oci_pull with pure starlark

.github/workflows/main.yaml

@@ -16,7 +16,5 @@ jobs:
       - run: mkdir -p ~/.local/bin
       - run: echo -e "#!/usr/bin/env bash\n echo '{\"ServerURL\":\"ghcr.io\",\"Username\":\"Bearer\",\"Secret\":\"${{ secrets.GITHUB_TOKEN }}\"}'" > ~/.local/bin/docker-credential-ghcr
       - run: chmod +x ~/.local/bin/docker-credential-ghcr
-      # Setup local toolchain
-      - run: bazel build --config=ci //go/cmd/ocitool:ocitool && cp bazel-bin/go/cmd/ocitool/ocitool_/ocitool bin/ocitool-linux-amd64
       # Run all tests
       - run: bazel test --config=ci //...

BUILD.bazel

@@ -1,7 +1,5 @@
-load("@aspect_bazel_lib//lib:write_source_files.bzl", "write_source_files")
 load("@gazelle//:def.bzl", "DEFAULT_LANGUAGES", "gazelle", "gazelle_binary")
 load("@npm//:defs.bzl", "npm_link_all_packages")
-load("//oci:toolchain.bzl", "oci_local_toolchain")
 
 # gazelle:prefix github.com/DataDog/rules_oci
 # gazelle:go_naming_convention go_default_library
@@ -11,8 +9,9 @@ npm_link_all_packages(
     name = "node_modules",
 )
 
-oci_local_toolchain(
-    name = "oci_local_toolchain",
+alias(
+    name = "format",
+    actual = "//tools/format",
 )
 
 gazelle(
@@ -32,23 +31,6 @@ alias(
     actual = "@io_bazel_rules_go//go",
 )
 
-write_source_files(
-    name = "bootstrap",
-    diff_test = False,
-    executable = True,
-    files = {
-        "bin/ocitool-darwin-amd64": "//go/cmd/ocitool",
-        "bin/ocitool-darwin-arm64": "//go/cmd/ocitool",
-        "bin/ocitool-linux-amd64": "//go/cmd/ocitool",
-        "bin/ocitool-linux-arm64": "//go/cmd/ocitool",
-    },
-)
-
-alias(
-    name = "format",
-    actual = "//tools/format",
-)
-
 exports_files(
     ["WORKSPACE"],
     visibility = ["//visibility:public"],

MODULE.bazel

@@ -29,7 +29,6 @@ use_repo(
     go_deps,
     "com_github_blakesmith_ar",
     "com_github_containerd_containerd",
-    "com_github_containerd_log",
     "com_github_docker_docker_credential_helpers",
     "com_github_mitchellh_go_homedir",
     "com_github_opencontainers_go_digest",
@@ -38,7 +37,6 @@ use_repo(
     "com_github_stretchr_testify",
     "com_github_urfave_cli_v2",
     "land_oras_oras_go",
-    "org_golang_x_sync",
 )
 go_deps.module_override(
     patch_strip = 1,
@@ -54,14 +52,10 @@ oci_pull(
     name = "ubuntu_noble",
     # "noble" tag as of 2024-12-30
     digest = "sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab",
-    registry = "mirror.gcr.io",
+    registry = "docker.io",
     repository = "library/ubuntu",
 )
 
-register_toolchains(
-    "@com_github_datadog_rules_oci//:oci_local_toolchain",
-)
-
 node = use_extension("@rules_nodejs//nodejs:extensions.bzl", "node", dev_dependency = True)
 node.toolchain(node_version = "16.14.2")
 

README.md

@@ -94,20 +94,14 @@ base images.
 
 ### Developing
 
-#### Updating dependencies
+#### Run the tests
 
-Run `bzl run //:go -- get DEPENDENCY`
+Run `bazel test //...`
 
-#### Tests
+#### Update the docs
 
-Run the tests using
+Run `bzl run //docs:update`
 
-```
-bazel run //:bootstrap
-bazel test //...
-```
+#### Update go dependencies
 
-You will also need to make it possible for docker to access `ghcr.io` (see the code in
-[.github/workflows/main.yaml](.github/workflows/main.yaml) for what we do in CI; an equivalent
-method for local build using the [gh CLI](https://github.com/cli/cli) can be found
-[here](https://gist.github.com/mislav/e154d707db230dc882d7194ec85d79f6)).
+Run `bzl run //:go -- get DEPENDENCY`

docs/defs.md

@@ -50,31 +50,6 @@ oci_image_index(<a href="#oci_image_index-name">name</a>, <a href="#oci_image_in
 | <a id="oci_image_index-manifests"></a>manifests |  -   | <a href="https://bazel.build/concepts/labels">List of labels</a> | optional |  `[]`  |
 
 
-<a id="oci_image_layout"></a>
-
-## oci_image_layout
-
-<pre>
-oci_image_layout(<a href="#oci_image_layout-name">name</a>, <a href="#oci_image_layout-manifest">manifest</a>)
-</pre>
-
-Writes an OCI Image Index and related blobs to an OCI Image Format
-directory. See https://github.com/opencontainers/image-spec/blob/main/image-layout.md
-for the specification of the OCI Image Format directory.
-
-All blobs must be provided in the manifest's OCILayout provider, in the
-files attribute. If blobs are missing, creation of the OCI Image Layout
-will fail.
-
-**ATTRIBUTES**
-
-
-| Name  | Description | Type | Mandatory | Default |
-| :------------- | :------------- | :------------- | :------------- | :------------- |
-| <a id="oci_image_layout-name"></a>name |  A unique name for this target.   | <a href="https://bazel.build/concepts/labels#target-names">Name</a> | required |  |
-| <a id="oci_image_layout-manifest"></a>manifest |  An OCILayout index to be written to the OCI Image Format directory.   | <a href="https://bazel.build/concepts/labels">Label</a> | optional |  `None`  |
-
-
 <a id="oci_push"></a>
 
 ## oci_push
@@ -123,3 +98,60 @@ oci_image_layer
 | <a id="oci_image_layer-kwargs"></a>kwargs |  Additional arguments to pass to the rule, e.g. `tags` or `visibility`   |  none |
 
 
+<a id="oci_image_layout"></a>
+
+## oci_image_layout
+
+<pre>
+oci_image_layout(<a href="#oci_image_layout-name">name</a>, <a href="#oci_image_layout-image_index">image_index</a>, <a href="#oci_image_layout-gzip">gzip</a>, <a href="#oci_image_layout-kwargs">kwargs</a>)
+</pre>
+
+Creates targets for an OCI Image Layout directory and a tar file
+
+See https://github.com/opencontainers/image-spec/blob/main/image-layout.md
+for the specification of the OCI Image Format directory.
+
+
+**PARAMETERS**
+
+
+| Name  | Description | Default Value |
+| :------------- | :------------- | :------------- |
+| <a id="oci_image_layout-name"></a>name |  A unique name for the rule   |  none |
+| <a id="oci_image_layout-image_index"></a>image_index |  An oci_image_index label   |  none |
+| <a id="oci_image_layout-gzip"></a>gzip |  If true, creates a tar.gz file. If false, creates a tar file   |  `True` |
+| <a id="oci_image_layout-kwargs"></a>kwargs |  Additional arguments to pass to the underlying rules, e.g. tags or visibility   |  none |
+
+
+<a id="oci_pull"></a>
+
+## oci_pull
+
+<pre>
+oci_pull(<a href="#oci_pull-name">name</a>, <a href="#oci_pull-debug">debug</a>, <a href="#oci_pull-digest">digest</a>, <a href="#oci_pull-registry">registry</a>, <a href="#oci_pull-repo_mapping">repo_mapping</a>, <a href="#oci_pull-repository">repository</a>, <a href="#oci_pull-scheme">scheme</a>, <a href="#oci_pull-shallow">shallow</a>)
+</pre>
+
+**ATTRIBUTES**
+
+
+| Name  | Description | Type | Mandatory | Default |
+| :------------- | :------------- | :------------- | :------------- | :------------- |
+| <a id="oci_pull-name"></a>name |  A unique name for this repository.   | <a href="https://bazel.build/concepts/labels#target-names">Name</a> | required |  |
+| <a id="oci_pull-debug"></a>debug |  Deprecated. Does nothing   | Boolean | optional |  `False`  |
+| <a id="oci_pull-digest"></a>digest |  The digest or tag of the manifest file   | String | required |  |
+| <a id="oci_pull-registry"></a>registry |  Remote registry host to pull from, e.g. `gcr.io` or `index.docker.io`   | String | required |  |
+| <a id="oci_pull-repo_mapping"></a>repo_mapping |  In `WORKSPACE` context only: a dictionary from local repository name to global repository name. This allows controls over workspace dependency resolution for dependencies of this repository.<br><br>For example, an entry `"@foo": "@bar"` declares that, for any time this repository depends on `@foo` (such as a dependency on `@foo//some:target`, it should actually resolve that dependency within globally-declared `@bar` (`@bar//some:target`).<br><br>This attribute is _not_ supported in `MODULE.bazel` context (when invoking a repository rule inside a module extension's implementation function).   | <a href="https://bazel.build/rules/lib/dict">Dictionary: String -> String</a> | optional |  |
+| <a id="oci_pull-repository"></a>repository |  Image path beneath the registry, e.g. `distroless/static`   | String | required |  |
+| <a id="oci_pull-scheme"></a>scheme |  scheme portion of the URL for fetching from the registry   | String | optional |  `"https"`  |
+| <a id="oci_pull-shallow"></a>shallow |  Deprecated. Does nothing   | Boolean | optional |  `False`  |
+
+**ENVIRONMENT VARIABLES**
+
+This repository rule depends on the following environment variables:
+* `DOCKER_CONFIG`
+* `REGISTRY_AUTH_FILE`
+* `XDG_RUNTIME_DIR`
+* `HOME`
+* `OCI_ENABLE_OAUTH2_SUPPORT`
+
+

docs/providers.md

@@ -26,45 +26,6 @@ OCIDescriptor(<a href="#OCIDescriptor-file">file</a>, <a href="#OCIDescriptor-de
 | <a id="OCIDescriptor-annotations"></a>annotations |  String map of aribtrary metadata    |
 
 
-<a id="OCIImageIndexManifest"></a>
-
-## OCIImageIndexManifest
-
-<pre>
-OCIImageIndexManifest(<a href="#OCIImageIndexManifest-manifests">manifests</a>, <a href="#OCIImageIndexManifest-annotations">annotations</a>)
-</pre>
-
-
-
-**FIELDS**
-
-
-| Name  | Description |
-| :------------- | :------------- |
-| <a id="OCIImageIndexManifest-manifests"></a>manifests |  List of descriptors    |
-| <a id="OCIImageIndexManifest-annotations"></a>annotations |  String map of arbitrary metadata    |
-
-
-<a id="OCIImageManifest"></a>
-
-## OCIImageManifest
-
-<pre>
-OCIImageManifest(<a href="#OCIImageManifest-config">config</a>, <a href="#OCIImageManifest-layers">layers</a>, <a href="#OCIImageManifest-annotations">annotations</a>)
-</pre>
-
-
-
-**FIELDS**
-
-
-| Name  | Description |
-| :------------- | :------------- |
-| <a id="OCIImageManifest-config"></a>config |  Descriptor that points to a configuration object    |
-| <a id="OCIImageManifest-layers"></a>layers |  List of descriptors    |
-| <a id="OCIImageManifest-annotations"></a>annotations |  String map of arbitrary metadata    |
-
-
 <a id="OCILayout"></a>
 
 ## OCILayout
@@ -106,21 +67,3 @@ Refers to any artifact represented by an OCI-like reference URI
 | <a id="OCIReferenceInfo-digest"></a>digest |  a file containing the digest of the artifact    |
 
 
-<a id="OCISDK"></a>
-
-## OCISDK
-
-<pre>
-OCISDK(<a href="#OCISDK-ocitool">ocitool</a>)
-</pre>
-
-The OCI SDK
-
-**FIELDS**
-
-
-| Name  | Description |
-| :------------- | :------------- |
-| <a id="OCISDK-ocitool"></a>ocitool |  -    |
-
-

docs/repositories.md

@@ -7,7 +7,7 @@ public repository rules
 ## oci_pull
 
 <pre>
-oci_pull(<a href="#oci_pull-name">name</a>, <a href="#oci_pull-debug">debug</a>, <a href="#oci_pull-digest">digest</a>, <a href="#oci_pull-registry">registry</a>, <a href="#oci_pull-repo_mapping">repo_mapping</a>, <a href="#oci_pull-repository">repository</a>, <a href="#oci_pull-shallow">shallow</a>)
+oci_pull(<a href="#oci_pull-name">name</a>, <a href="#oci_pull-debug">debug</a>, <a href="#oci_pull-digest">digest</a>, <a href="#oci_pull-registry">registry</a>, <a href="#oci_pull-repo_mapping">repo_mapping</a>, <a href="#oci_pull-repository">repository</a>, <a href="#oci_pull-scheme">scheme</a>, <a href="#oci_pull-shallow">shallow</a>)
 </pre>
 
 **ATTRIBUTES**
@@ -16,16 +16,21 @@ oci_pull(<a href="#oci_pull-name">name</a>, <a href="#oci_pull-debug">debug</a>,
 | Name  | Description | Type | Mandatory | Default |
 | :------------- | :------------- | :------------- | :------------- | :------------- |
 | <a id="oci_pull-name"></a>name |  A unique name for this repository.   | <a href="https://bazel.build/concepts/labels#target-names">Name</a> | required |  |
-| <a id="oci_pull-debug"></a>debug |  Enable ocitool debug output   | Boolean | optional |  `False`  |
-| <a id="oci_pull-digest"></a>digest |  -   | String | required |  |
-| <a id="oci_pull-registry"></a>registry |  -   | String | required |  |
+| <a id="oci_pull-debug"></a>debug |  Deprecated. Does nothing   | Boolean | optional |  `False`  |
+| <a id="oci_pull-digest"></a>digest |  The digest or tag of the manifest file   | String | required |  |
+| <a id="oci_pull-registry"></a>registry |  Remote registry host to pull from, e.g. `gcr.io` or `index.docker.io`   | String | required |  |
 | <a id="oci_pull-repo_mapping"></a>repo_mapping |  In `WORKSPACE` context only: a dictionary from local repository name to global repository name. This allows controls over workspace dependency resolution for dependencies of this repository.<br><br>For example, an entry `"@foo": "@bar"` declares that, for any time this repository depends on `@foo` (such as a dependency on `@foo//some:target`, it should actually resolve that dependency within globally-declared `@bar` (`@bar//some:target`).<br><br>This attribute is _not_ supported in `MODULE.bazel` context (when invoking a repository rule inside a module extension's implementation function).   | <a href="https://bazel.build/rules/lib/dict">Dictionary: String -> String</a> | optional |  |
-| <a id="oci_pull-repository"></a>repository |  -   | String | required |  |
-| <a id="oci_pull-shallow"></a>shallow |  -   | Boolean | optional |  `True`  |
+| <a id="oci_pull-repository"></a>repository |  Image path beneath the registry, e.g. `distroless/static`   | String | required |  |
+| <a id="oci_pull-scheme"></a>scheme |  scheme portion of the URL for fetching from the registry   | String | optional |  `"https"`  |
+| <a id="oci_pull-shallow"></a>shallow |  Deprecated. Does nothing   | Boolean | optional |  `False`  |
 
 **ENVIRONMENT VARIABLES**
 
 This repository rule depends on the following environment variables:
-* `OCI_CACHE_DIR`
+* `DOCKER_CONFIG`
+* `REGISTRY_AUTH_FILE`
+* `XDG_RUNTIME_DIR`
+* `HOME`
+* `OCI_ENABLE_OAUTH2_SUPPORT`