1# packagelock
2
3### Overview
4
5The `packagelock` tool is used to codify package digests and tags for promotion across environments
6from DEV -> STAGE1 -> STAGE2 -> PROD
7
8The package lock format is defined in the [Cue](https://cuelang.org/) language, a language
9for creating configuration standards. The configuration for the EDGE package lock format
10is defined in the [package-lock-rules.cue](`package-lock-rules.cue`) file.
11
12### Package lock file requirements
13
14Package lock files have several requirements:
15- Each package has 3 required elements:
16 - A `name:` string that defines the name of the package
17 - A `latest:` string in the `sha256:abc123` digest format defining the SHA of the latest version
18 - A list of versions in the `versions:` element each with its own version requirements:
19 - A `digest:` string that also abides by the `sha256:abc123` format denoting the digest of the version
20 - A `tags:` list of strings defining all tags associated with the version
21 - Each tag must be string-only serializable according to YAML 1.2 strings
22 - E.g. for semver `"0.13"`, that version must be surrounded in double quotes to assure treatment as a string vs. a float
23
24The Cue rules engine is able to take these requirements and parse/validate and package lock file that is
25passed in via either Cue directly, or via the `packagelock validate <path to lockfile>` command.
26
27### Validation
28
29Use the `packagelock validate <path to lockfile>` command to validate a file. The command will error if
30any portion of the file does not abide by the lock file requirements set in the `package-lock-rules.cue` file.
31
32### Building a lock file
33
34Lock files can be built from a GAR source via the `packagelock build [flags]` command.
35
36By passing the GAR repository information and a list of packages, the command will build
37a valid package lock file in stdout and the optional outpath for saving to a file.
View as plain text