OCI-only artifact catalog CLI
Project description
artifact-locker
artifact-locker stores a small local catalog of files and syncs that current
state through OCI with oras.
The installed CLI is available as both artifact-locker and the shorter
artlock.
The model is intentionally simple:
- every artifact is a real stored file
- the local catalog is the source of truth
pushmakes the remote match local current statepullrestores that current state on another machine
Commands
artifact-locker initartifact-locker add [source-or-url]artifact-locker list [query]artifact-locker find <query>artifact-locker show <query>artifact-locker remove <query>artifact-locker verify --catalog|--local|--allartifact-locker pushartifact-locker pull
Repo Layout
.
├── catalog/
│ ├── artifacts.json
│ └── checksums.txt
├── config.json
└── staging/
└── release-assets/
config.json stores the OCI repository and the local artifact directory. By
default the managed repo lives under ~/.local/share/artifact-locker/ and the
managed payload directory is ~/.local/share/artifact-locker/artifacts.
Managed payloads are stored in a flat local tree by platform and filename:
~/.local/share/artifact-locker/artifacts/<platform>/<filename>
Artifact IDs remain in the catalog and OCI tags. Older local trees that still use per-artifact ID directories are tolerated and are migrated forward on write. Category remains catalog metadata for filtering and notes, but it is no longer part of the local serving path.
Registry authentication is external. For ECR Public:
aws ecr-public get-login-password --region us-east-1 | \
oras login -u AWS --password-stdin public.ecr.aws
Usage
artifact-locker init
artifact-locker add ./Seatbelt.exe --platform windows --category bin --no-input
artifact-locker add https://example.test/tool.zip --platform linux --category archive --no-input
artifact-locker find seatbelt
artifact-locker show Seatbelt.exe
artifact-locker remove seatbelt
artifact-locker push
artifact-locker pull
The OCI repository is treated as fully owned by artifact-locker. Any remote
tag not part of the current live state may be removed on push.
Development
python3 -m pytest
python3 -m build
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file artifact_locker-0.3.3.tar.gz.
File metadata
- Download URL: artifact_locker-0.3.3.tar.gz
- Upload date:
- Size: 28.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
03711cf13410a335c9253ea11e518be1c696e300c4c434fe71e2d27f86cf633f
|
|
| MD5 |
6f8b6872ff585f6be49782cf30eb0278
|
|
| BLAKE2b-256 |
f0c5cae01f37de9fbd07cdbda5c98da5e6f9469c8adcc6207e2b04bc71baa036
|
Provenance
The following attestation bundles were made for artifact_locker-0.3.3.tar.gz:
Publisher:
publish-pypi.yml on CameronCandau/Artifact-Locker
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
artifact_locker-0.3.3.tar.gz -
Subject digest:
03711cf13410a335c9253ea11e518be1c696e300c4c434fe71e2d27f86cf633f - Sigstore transparency entry: 1482044297
- Sigstore integration time:
-
Permalink:
CameronCandau/Artifact-Locker@4ce71b4d0446619a61045229e5d8d1108207ffe9 -
Branch / Tag:
refs/tags/v0.3.3 - Owner: https://github.com/CameronCandau
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-pypi.yml@4ce71b4d0446619a61045229e5d8d1108207ffe9 -
Trigger Event:
release
-
Statement type:
File details
Details for the file artifact_locker-0.3.3-py3-none-any.whl.
File metadata
- Download URL: artifact_locker-0.3.3-py3-none-any.whl
- Upload date:
- Size: 25.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
32017cf4eb09e86c1ffa44c4814be187f78d21f57b2baeeb12c344067e26e202
|
|
| MD5 |
67cc0f7dc666bb0c396ca2b63a9e48bc
|
|
| BLAKE2b-256 |
76363e38e8df77816182a0da3502b236a0b670581e009c67ea1f573d2eb1620c
|
Provenance
The following attestation bundles were made for artifact_locker-0.3.3-py3-none-any.whl:
Publisher:
publish-pypi.yml on CameronCandau/Artifact-Locker
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
artifact_locker-0.3.3-py3-none-any.whl -
Subject digest:
32017cf4eb09e86c1ffa44c4814be187f78d21f57b2baeeb12c344067e26e202 - Sigstore transparency entry: 1482044333
- Sigstore integration time:
-
Permalink:
CameronCandau/Artifact-Locker@4ce71b4d0446619a61045229e5d8d1108207ffe9 -
Branch / Tag:
refs/tags/v0.3.3 - Owner: https://github.com/CameronCandau
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-pypi.yml@4ce71b4d0446619a61045229e5d8d1108207ffe9 -
Trigger Event:
release
-
Statement type:
