Awesome

ociupdate

Companion CLI for working with a custom lockfile format for rules_oci.

Updating Dependencies

ociupdate supports a simple strategy for updating ECR images in the lockfile assuming git-describe style versioning and immutable tags:

ociupdate --lockfile ./oci.lock.json update

Optionally allow snapshot versions (of the form d.d.d-n-gcommitish) by adding the flag --allow-snapshots after the update subcommand.

Using with Bazel

Create a module extension:

"OCI extension to translate lockfile to image pulls"

load("@rules_oci//oci:pull.bzl", "oci_pull")

lockfile = tag_class(
    attrs = {
        "lockfile": attr.label(mandatory = True, allow_single_file = True),
    },
)

def _extension(module_ctx):
    lockfiles = []
    for mod in module_ctx.modules:
        for tag in mod.tags.lockfile:
            lockfiles.append(tag.lockfile)

    for lockfile in lockfiles:
        images = json.decode(module_ctx.read(lockfile))
        if "v1" in images:
            for name, definition in images["v1"]["images"].items():
                oci_pull(
                    name = name,
                    digest = definition["digest"],
                    image = definition["image"],
                    platforms = definition.get("platforms"),
                )

oci = module_extension(
    implementation = _extension,
    tag_classes = {
        "lockfile": lockfile,
    },
)

In MODULE.bazel:

oci = use_extension("//tools/extensions:oci.bzl", "oci")
oci.lockfile(lockfile = "//:oci.lock.json")
use_repo(oci, "oci-image-1", "oci-image-2")