feat(web-ng): native add-on import orchestration on a shared OCI client (#3425) #3479

Merged

mfreeman451 merged 1 commit from feat/native-addon-web-importer into staging

2026-06-01 00:21:42 +00:00

mfreeman451 commented

2026-06-01 00:18:09 +00:00

Owner

What

build-signing §4.1 (web-ng half) — imports a first-party native add-on from a trusted Forgejo release into a staged AddonPackage, closing the loop with the merged core importer (#3476) + object-storage mirror (#3478) + DB test (#3477).

Modules

ServiceRadarWebNG.Plugins.ForgejoOciClient — shared transport, extracted so the native importer (and, in a follow-up, FirstPartyImporter) reuse one client: repo/release/asset fetch, OCI manifest+blob fetch (registry bearer-token + docker-config auth, redirect handling), Cosign verify, trusted-host/URL validation, digest/string utils. Same injection seams as FirstPartyImporter (:first_party_plugin_import_http_client, :first_party_plugin_cosign_verifier, …) so existing config/tests apply.
ServiceRadarWebNG.Plugins.NativeAddonImporter.import/1 — resolve repo + release tag → fetch serviceradar-native-addon-index.json → find entry → fetch + Cosign-verify the OCI manifest → assert each per-arch tarball_digest/signature_digest + the bundle_digest is a layer of the verified manifest and pull those blobs by digest (content-addressed) → extract addon.yaml + config.schema.json → assemble per-arch artifacts → core import_entry/4 with NativeAddonArtifactMirror.mirror_fun/3 + a SystemActor.

Trust split: web-ng owns transport + discovery (OCI + cosign); the core owns per-arch ed25519 verification + persistence.

Verification

mix compile --warnings-as-errors + mix credo --strict clean (both modules). The core (#3476/#3477) and mirror (#3478) it builds on are unit- and DB-tested.

Remaining (tasks.md §4)

Migrate FirstPartyImporter to delegate to ForgejoOciClient. The shared module is in use by the native importer; FPI still holds its own transport copies. The migration is import ForgejoOciClient + deleting ~50 now-duplicated defps — all-or-nothing on the import (name/arity conflicts), so I kept it out of this PR to avoid destabilizing the working WASM path. It's a pure, test-gated dedup (FPI's test is unit-style, mocks http/cosign, no DB) — a clean focused follow-up.
End-to-end test of the web-ng importer (fake OCI/HTTP client serving a fixture index + bundle + per-arch blobs → scratch DB → staged AddonPackage), mirroring first_party_importer_test.exs.

🤖 Generated with Claude Code

## What build-signing **§4.1 (web-ng half)** — imports a first-party native add-on from a trusted Forgejo release into a **staged `AddonPackage`**, closing the loop with the merged core importer (#3476) + object-storage mirror (#3478) + DB test (#3477). ## Modules - **`ServiceRadarWebNG.Plugins.ForgejoOciClient`** — shared transport, **extracted** so the native importer (and, in a follow-up, `FirstPartyImporter`) reuse one client: repo/release/asset fetch, OCI manifest+blob fetch (registry bearer-token + docker-config auth, redirect handling), Cosign verify, trusted-host/URL validation, digest/string utils. Same injection seams as `FirstPartyImporter` (`:first_party_plugin_import_http_client`, `:first_party_plugin_cosign_verifier`, …) so existing config/tests apply. - **`ServiceRadarWebNG.Plugins.NativeAddonImporter.import/1`** — resolve repo + release tag → fetch `serviceradar-native-addon-index.json` → find entry → fetch + **Cosign-verify** the OCI manifest → **assert each per-arch `tarball_digest`/`signature_digest` + the `bundle_digest` is a layer of the verified manifest** and pull those blobs by digest (content-addressed) → extract `addon.yaml` + `config.schema.json` → assemble per-arch artifacts → **core `import_entry/4`** with `NativeAddonArtifactMirror.mirror_fun/3` + a `SystemActor`. Trust split: web-ng owns transport + discovery (OCI + cosign); the core owns per-arch ed25519 verification + persistence. ## Verification `mix compile --warnings-as-errors` + `mix credo --strict` clean (both modules). The core (#3476/#3477) and mirror (#3478) it builds on are unit- and DB-tested. ## Remaining (tasks.md §4) - **Migrate `FirstPartyImporter` to delegate to `ForgejoOciClient`.** The shared module is in use by the native importer; FPI still holds its own transport copies. The migration is `import ForgejoOciClient` + deleting ~50 now-duplicated `defp`s — **all-or-nothing on the import** (name/arity conflicts), so I kept it out of this PR to avoid destabilizing the working WASM path. It's a pure, test-gated dedup (FPI's test is unit-style, mocks http/cosign, no DB) — a clean focused follow-up. - **End-to-end test** of the web-ng importer (fake OCI/HTTP client serving a fixture index + bundle + per-arch blobs → scratch DB → staged `AddonPackage`), mirroring `first_party_importer_test.exs`. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

Rows
Columns