Contributing
How to contribute to Standard Registry. https://github.com/aquaproj/aqua-registry
See also
Changelog of document and development workflow
- 2025-01-19 Add
Note of Programing Language Support
- 2024-12-14 Remove
cmdx new
from the guide - 2024-05-24 The behaviour of
cmdx s
,cmdx t
, andcmdx new
were changed.
Should you create an Issue before sending a Pull Request?
Basically, you don't have to create an Issue before sending a Pull Request. But if the pull request requires the discussion before reviewing, you have to create an Issue in advance.
For example, you don't have to create an Issue in the following cases.
- Add a package
- Fix a typo
On the other hand, for example if you want to change the directory structure in pkgs
or the workflow adding a package,
you have to create an Issue and describe what is changed and why the change is needed.
aqua can't support some tools' plugin mechanism
Some tools have the plugin mechanism.
e.g.
aqua simply installs commands in PATH (AQUA_ROOT_DIR/bin
), but some of these plugins expect to be installed in the other location.
If aqua can't support the plugin, we will reject the pull request adding the plugin to aqua-registry.
So if you send a pull request adding a plugin to aqua-registry, please check if aqua can support the plugin. We aren't necessarily familiar with the plugin, so please explain where the plugin expects to be installed and how the plugin works in the pull request description.
If you don't know well, please create a pull request and consult us.
Note of Programing Language Support
aqua supports several programing languages such as Go and Node.js, but when we support a programing language, we need to be careful about where the programing language installs libraries and commands.
For instance, if the programing language installs commands in the same directory with the programing language itself, aqua can't add them to $PATH, meaning we can't execute them.
aqua doesn't support changing $PATH dynamically (We have no plan to support it as it makes aqua more complicated).
Node.js's npm i -g
installs the same directory with node by default, so we gave up the support of Node.js before (Now aqua supports Node.js again because we can change the install path by NPM_CONFIG_PREFIX
).
If the language installs libraries in the same directory with it, the language can't refer installed libraries when we change the version of the language.
So before supporting a programing language, we should consider carefully if it really works well. Many programing languages have dedicated version managers, so maybe they are more appropriate.
Commit Signing
All commits of pull requests must be signed. Please see the document.
Set up
- Please fork aquaproj/aqua-registry.
- Checkout the repository
- Run
aqua i -l
in the repository root directory to install tools which are required for contribution.
aqua i -l
Structure of aqua-registry
Package-related code is located in the pkgs/<package name>
directory of https://github.com/aquaproj/aqua-registry.
e.g. cli/cli
Each package directory contains the following files:
- pkg.yaml: List of versions installed during testing. This is essentially test data
- registry.yaml: Configuration. Each tool's registry.yaml is merged to generate the repository root registry.yaml
- scaffold.yaml: Optional. Configuration file for commands that auto-generate pkg.yaml and registry.yaml. Required when you want to change the auto-generation behavior
pkg.yaml is just test data. You can install versions not included in this file.
There is also a registry.yaml at the repository root, which is a huge YAML file merging all registry.yaml files under pkgs
.
When specifying Standard Registry in aqua.yaml, this repository root registry.yaml is referenced.
To modify the repository root registry.yaml, modify the registry.yaml under pkgs and run the cmdx gr
command.
registry.yaml Documentation
Please refer to Registry Config. There is also a JSON Schema. The registry.yaml files under pkgs have JSON Schema comments, so VSCode and similar editors can provide auto-completion.
Additionally, there are abundant examples under pkgs in aqua-registry. By grepping here, you can see how much each configuration item is used and how to write them for reference.
# Search with slsa_provenance
$ git grep -l slsa_provenance pkgs
pkgs/Zxilly/go-size-analyzer/registry.yaml
pkgs/aquaproj/aqua-registry-updater/registry.yaml
pkgs/aquaproj/example-go-slsa-provenance/registry.yaml
...
Development Tools
Unfortunately, the current development tools depend on Shell Scripts and are unlikely to work on Windows (though they probably work on WSL). There is an issue to rewrite them in Go.
CLIs for developing aqua-registry are provided.
These can be installed with aqua.
Check out aqua-registry and run aqua i -l
.
aqua i -l
We use a task runner called cmdx.
You can check tasks with cmdx help
.
cmdx help
Using development tools, you can generate files for each package (pkg.yaml, registry.yaml, scaffold.yaml) and test tool installation in containers. Tests are performed in containers using the docker command, so you need the docker command and a compatible container engine. Docker Desktop would work fine of course. We install docker/cli and abiosoft/colima with aqua. Please confirm that the docker command works.
docker version
cmdx s - Scaffold configuration and test it in containers
cmdx s <package name>
generates a configuration file pkgs/<package name>/registry.yaml
and a test data file pkgs/<package name>/pkg.yaml
, and tests them in containers.
It gets data from GitHub Releases by GitHub API.
By default, it gets all releases, so it takes a bit long time if the repository has a lot of releases.
cmdx s
isn't perfect, but you must use it when you add new packages.
cmdx t - Test a package in containers
cmdx t [<package name>]
tests a package in containers.
If the branch name is feat/<package name>
, you can omit the argument <package name>
.
cmdx t
copies files pkgs/<package name>/{pkg.yaml,registry.yaml}
in containers and test them.
If the test succeeds, registry.yaml
is updated.
cmdx rm - Remove containers
cmdx rm
removes containers.
cmdx s
and cmdx t
reuse containers, but if you want to test packages in clean environment, you can do it by removing containers.
cmdx rmp - Remove an installed package from containers
cmdx rmp [<package name>]
removes an installed package from containers.
If the branch name is feat/<package name>
, you can omit the argument <package name>
.
It runs aqua rm <package name>
and removes aqua-checksums.json
in containers.
This task is useful when you want to test packages in clean environment.
cmdx gr - Update registry.yaml
cmdx gr
merges pkgs/**/registry.yaml
and updates registry.yaml.
Please don't edit registry.yaml directly.
When you edit pkgs/**/registry.yaml
, please run cmdx gr
to reflect the update to registry.yaml
in the repository.
cmdx con - Connect to a container
cmdx con [<os>] [<arch>]
connect to a given container.
cmdx s
and cmdx t
tests packages in containers.
cmdx con
is useful to look into the trouble in containers.
By default, <os>
is linux
and <arch>
is CPU architecture of your machine.
Code Auto-generation
Writing configuration files for each package from scratch is difficult and has quality issues. Therefore, commands for auto-generating code are provided. When adding a new package, always use this command. Code written manually from scratch is not quality assured, so Pull Requests will not be accepted. However, code auto-generation is not perfect and often generates incomplete code. In that case, you need to manually fix the generated code.
aqua supports various package types, but currently auto-generation mainly supports only github_release
and cargo
.
When generating code for other packages like http
package, specify -l 1
to generate only a template and write the rest manually.
cmdx s -l 1 "<package name>"
GitHub Access Token
Development tools execute GitHub API to get lists of GitHub Releases and assets.
It works without an access token, but the possibility of hitting API rate limits increases.
Hitting API rate limits can prevent normal code generation or cause tests to fail.
You can pass an access token through environment variables GITHUB_TOKEN
or AQUA_GITHUB_TOKEN
.
If these environment variables are not set, it will try to get an access token using the gh auth token
command.
No special permissions are needed as it only reads public repository resources.
Modifying Existing Packages
When modifying existing packages, you need to modify code under pkgs/<package name>
.
There are several modification methods:
- Manually modify the code
- Regenerate the code from scratch with commands
- Auto-generate code for the latest version and manually modify based on that
Which method to use depends on the state of the original code. Code auto-generation has been improved many times. Therefore, there is low-quality code generated before improvements. Such code may be better regenerated from scratch rather than manually fixed.
One characteristic to identify if code is old is how version_constraint
and version_overrides
are written.
In the new style, it basically looks like this:
version_constraint: "false" # Root version_constraint is "false"
version_overrides:
- version_constraint: semver("<= 0.1.0") # Version constraints use <, <= not >, >= (basically <=)
# ...
# ...
- version_constraint: "true" # End with "true" for latest version configuration
# ...
In the old style, version_overrides
is often not defined.
In this case, it's likely better to regenerate from scratch.
However, as mentioned earlier, auto-generation doesn't support package types other than github_release
or cargo
, so manual modification will be necessary.
Also, aliases and files cannot be auto-generated, so you need to modify the auto-generated code referring to the original code.
3. Auto-generate code for the latest version and manually modify based on that
is effective when the package no longer installs with the latest version but you want to reuse existing code (don't want to regenerate from scratch).
Running the following command generates code for the latest version:
aqua gr -l 1 "<package name>"
Fix this and add it to the end of version_overrides
in the original code and modify version_constraint.
Manual Modification
When manual modification is necessary, you'll need to look at error messages and fix appropriately.
When Configuration Needs to Change for Specific Versions
You can change configuration by version using version_overrides and version_constraint.
When Configuration Needs to Change for Specific OS/Arch
You can change configuration by OS/Arch with overrides.
When Version Cannot Be Found
Sometimes a released version is deleted and disappears.
In that case, delete that version from pkg.yaml.
And delete configuration related to that version from registry.yaml (if any).
However, no_asset and error_message don't need to be deleted.
You may or may not add no_asset
and error_message
.
When Asset Cannot Be Found
When an asset cannot be found, either the asset name is wrong or the asset hasn't been released.
Running the cmdx lsa [-r <repository name>] "<version>"
command outputs a list of assets, which is convenient.
$ cmdx lsa -repo suzuki-shunsuke/pinact v3.0.0
+ REPO=${REPO#https://github.com/}
repo=$(bash scripts/get_test_pkg.sh "$REPO")
gh release view --json assets --jq ".assets[].name" -R "$repo" "$VERSION"
multiple.intoto.jsonl
pinact_3.0.0_checksums.txt
pinact_3.0.0_checksums.txt.pem
pinact_3.0.0_checksums.txt.sig
pinact_darwin_amd64.tar.gz
pinact_darwin_arm64.tar.gz
pinact_linux_amd64.tar.gz
pinact_linux_arm64.tar.gz
pinact_windows_amd64.zip
pinact_windows_arm64.zip
It's common for new GitHub Releases or tags to be released without assets being released. When there are no assets, the following causes are possible:
- Release is simply delayed. It will be released if you wait
- CI failed midway and wasn't released
- CI skipped the release
These are not problems with aqua or aqua-registry. For example, if such a problem occurs with suzuki-shunsuke/pinact and you want to take action, it would be good to create an issue or PR at https://github.com/suzuki-shunsuke/pinact. As aqua-registry maintainers, we often encounter these problems. Each time, we report problems to various repositories or fix CI.
It's common for specific os/arch not to be supported.
In that case, you need to exclude that os/arch from supported_envs
.
If the asset name is wrong, the asset naming convention may have changed from a certain version. For example, the GoReleaser configuration was modified and the format became zip, or the version disappeared from the asset name, etc. In that case, you need to modify the asset in registry.yaml. If the name changed due to a mistake on the tool side, it would be kind to report the problem or create a PR to fix it.
When Command Cannot Be Found
When a command cannot be found, the following possibilities exist:
- Command name is wrong
- Command name changed
- Path is wrong
- Target os/arch is excluded by supported_envs
In these cases, you need to modify the files
configuration.
files:
- name: <command name>
src: <relative path to command executable>
By default, the command name is the last element when splitting the package name by /
.
So for cli/cli
it becomes cli
, but the actual command name is gh
, so you need to explicitly specify files
.
files:
- name: gh
Note that even on Windows, .exe
is not added to the name.
src
is the relative path where the command executable is located when extracting assets like tarball or zip.
By default, it's the same as name
.
For gh, since the path is different, you need to specify src
.
files:
- name: gh
src: gh_{{trimV .Version}}_{{.OS}}_{{.Arch}}/bin/gh
The auto-generation tool currently cannot auto-generate files
.
Therefore, manual modification is necessary.
Adding Support for Specific OS / Architecture
Sometimes a tool supports new OS/Architecture from a specific version but it's not reflected in registry.yaml and remains uninstallable.
In that case, you need to add that OS/Architecture to supported_envs
.
When Checksum Cannot Be Extracted from Checksum File
Please see the document.
When Checksum Verification Fails
Please see the document.
- Checksum written in checksum file is wrong => Disable checksum
checksum:
enabled: false
Or delete the checksum configuration since it's disabled by default.
The checksum enable/disable setting in registry configuration is just a setting for "whether to download checksum file and get checksum". Even if this is disabled, if checksum verification is enabled in aqua.yaml, checksum verification will be performed. In that case, it actually downloads the asset, calculates the checksum, and records it in aqua-checksums.json. There is also an issue for getting checksum via GitHub API.
- Extracting wrong string from checksum file
Modify extraction parameters or disable checksum.
- Wrong checksum algorithm (sha1, sha256, sha512, md5, etc) => Fix the algorithm
When cosign Verification Fails
When SLSA Provenance Verification Fails
When GitHub Artifact Attestations Verification Fails
signer_workflow
might be wrong.
If attestations are not generated for a specific version in the first place, delete the github_artifact_attestations configuration.
The github_artifact_attestations configuration cannot be auto-generated currently. Therefore, when adding a new tool, check if attestations are generated and add the configuration if they are.
When Minisign Verification Fails
The minisign configuration might be wrong. If minisign signing is not performed for a specific version in the first place, delete the minisign configuration.
Tool Naming Convention
To avoid name conflicts, tool names must include /
(namespace-like meaning).
- NG:
terraform
- OK:
hashicorp/terraform
If the tool code is managed on GitHub, match the repository name. If multiple tools are managed in that repository, change the name for each tool.
e.g. winebarrel/cronplan
winebarrel/cronplan/cronmatch
winebarrel/cronplan/cronplan
winebarrel/cronplan/cronviz
Packages hosted outside GitHub should have naming that distinguishes them from GitHub.
cargo
packages become crates.io/{crate name}.
Platforms other than GitHub like GitLab are not actively supported, but some are supported as http type packages.
GitLab uses gitlab.com/<repository name>
.
Adding New Tools
When submitting a Pull Request to add a new tool, there's no need to create an Issue.
Run cmdx s
to auto-generate code.
cmdx s "<tool name>"
e.g.
cmdx s cli/cli
For package types other than github_release, specify -l 1
.
cmdx s -l 1 "<package name>"
cmdx s generates a branch feat/<package name>
, code, and commit, and tests using containers.
cmdx s
creates a commit, but please don't edit the commit by git commit --amend
, git rebase
, or somehow.
cmdx s
creates a commit to distinguish scaffolded code from manual changes.
Please add new commits if you update code.
This command may sometimes fail tests and output a large amount of error messages, but don't be overwhelmed by those error messages. Test failures are expected.
Customizing cmdx s with Configuration File
In many cases, this is unnecessary. Also, you should not use this feature carelessly.
Sometimes cmdx s
generation doesn't work in one go.
For github_release packages, cmdx s
gets lists of GitHub Releases and assets via GitHub API and auto-generates configuration based on that.
However, sometimes you need to exclude specific versions or assets.
For example, if multiple CLIs are published in the same repository, if you don't exclude assets from other CLIs, code might be generated based on asset names from other CLIs.
Also, if multiple tools are published in the same repository, versions might have different prefixes for different tools.
In that case, if you don't ignore versions from other tools, code likely won't be generated correctly.
In such cases, follow these steps:
- Generate a template configuration file
aqua-generate-registry.yaml
forcmdx s
withaqua gr -init <package name>
- Modify the configuration file
aqua-generate-registry.yaml
- Generate code with
cmdx s -c "<configuration file>" "<package name>"
You can configure the following:
version_filter
: Versions not matching this condition are excludedversion_prefix
: Versions without this prefix are excludedall_assets_filter
: Assets not matching this condition are excluded
However, using this feature carelessly can exclude things that shouldn't be excluded, so it shouldn't be used lightly.
all_assets_filter
in particular requires caution. This is because it can accidentally exclude checksum files like SHA256SUM
or checksums.txt
, and it's difficult to notice if you've excluded them.
Therefore, you should first generate code without exclusion settings, and if unnecessary things are mixed in the generated code, write settings that explicitly exclude only those (without making the scope too broad to avoid excluding extra things).
Note that version_filter
is not a feature for dropping support for old versions.
version_constraint
, no_asset
, and error_message
are used for dropping support for old versions.
Retrying cmdx s
Until It Works
In many cases, this is unnecessary.
As mentioned earlier, code generation with cmdx s
doesn't always work on the first try.
Sometimes you need to repeat it several times.
- Generate code without configuration file
cmdx s
- Check the generated code, and if extra versions or assets are included, delete the generated branch
cmdx s
generates a branch and commit, but if it's before opening a Pull Request, you can delete them without problems.
git checkout main
git branch -D "feat/<package name>"
- Generate configuration file
aqua gr -init
- Modify configuration file and generate code
cmdx s
- Repeat 2, 4 until extra versions and assets are excluded
Modifying Manually
If installation of multiple versions is failing and the log is hard to read, it's good to comment out some versions in pkg.yaml and tackle problems one by one.
When modifying configuration, refer to Manual Modification and Style Guide.
After modification, run cmdx t
to confirm it can be installed correctly.
Repeat modification and confirmation until it can be installed.
When you're done with modifications, or if you're not sure how to fix it, submit a Pull Request.
The cmdx new
command has been removed from the standard procedure.
However, the command itself remains and can still be used.
This command has large environment dependencies and didn't work well for some users, making troubleshooting and support difficult.
Since you can create Pull Requests without using cmdx new
, we decided to remove it from the standard procedure.
See also changelog.
Use cmdx s
definitely
We don't accept pull requests not following this guide.
Especially, we don't accept pull requests not using cmdx s
.
Standard Registry must support not only the latest version but also almost all versions and various platforms.
Many tools have so many versions that people can't check all of them manually.
So we can't trust the code not using cmdx s
.
cmdx s
checks all GitHub Releases and generates code supporting all of them (Strictly speaking, if there are too many GitHub Releases we have to restrict the number of GitHub Releases, though cmdx s
can still check over 200 versions).
cmdx s
generates much better code than us.
cmdx s
isn't perfect and sometimes cmdx s
causes errors and generates invalid code.
Then you have to fix the code according to the error message.
cmdx s
supports only github_release
type packages, so for other package types you have to fix the code.
Even if so, you must still use cmdx s
.
cmdx s
guarantees the quality of code.
💡 How to ignore some assets and versions
You can ignore some assets and versions to scaffold better configuration files.
Be careful to use this feature as it may exclude assets and versions unexpectedly.
Especially, all_assets_filter
may exclude assets such as checksum files.
We recommend to scaffold codes without this feature first.
Then if cmdx s
can't scaffold good codes due to some noisy versions or assets, you should re-scaffold code using this feature.
About all_assets_filter
, we recommend specifying patterns to exclude assets (deny list) rather than specifying patterns to include assets (allow list).
e.g.
all_assets_filter: not (Asset contains "static")
- Create
aqua-generate-registry.yaml
byaqua gr --init
command:
aqua gr --init <package name>
- Edit
aqua-generate-registry.yaml
:
Example 1. Filter assets:
name: argoproj/argo-rollouts
all_assets_filter: not ((Asset matches "rollouts-controller") or (Asset matches "rollout-controller"))
Example 2. Filter versions by version_prefix
:
name: grpc/grpc-go/protoc-gen-go-grpc
version_prefix: cmd/protoc-gen-go-grpc/
Example 3. Filter versions by version_filter
:
name: crate-ci/typos
version_filter: not (Version startsWith "varcon-")
- Run
cmdx s
withaqua-generate-registry.yaml
cmdx s -c aqua-generate-registry.yaml
How to execute a package in your machine during development
There are several ways
- Execute a package in linux containers via
cmdx con
- Import
pkgs/<package>/pkg.yaml
in aqua.yaml - Add aqua-all.yaml in
$AQUA_GLOBAL_CONFIG
1. Execute a package in linux containers via cmdx con
$ cmdx con
+ bash scripts/connect.sh
[INFO] Connecting to the container aqua-registry (linux/arm64)
Then you can execute a package in the container.
2. Import pkgs/<package>/pkg.yaml
in aqua.yaml
packages:
# ...
- import: pkgs/<package>/pkg.yaml
Please don't commit this change.
You need to run aqua policy allow
to use the local registry.
aqua policy allow
Then you can execute the package.
3. Add aqua-all.yaml in $AQUA_GLOBAL_CONFIG
export AQUA_GLOBAL_CONFIG=$PWD/aqua-all.yaml:$AQUA_GLOBAL_CONFIG
You need to run aqua policy allow
to use the local registry.
aqua policy allow
Then you can execute all packages.
Supported OS and CPU Architecture
Please consider the following OS and CPU Architecture.
- OS
- windows
- darwin
- linux
- CPU Architecture
- amd64
- arm64
We test the registry in CI on the above environments by GitHub Actions' build matrix.
Test multiple versions
If the package has the field version_overrides,
please add not only the latest version but also old versions in pkg.yaml
to test if old versions can be installed properly.
e.g. pkg.yaml registry.yaml
packages:
- name: scaleway/scaleway-cli@v2.12.0
- name: scaleway/scaleway-cli
version: v2.4.0
⚠️ Don't use the short syntax <package name>@<version>
for the old version to prevent Renovate from updating the old version.
👎
packages:
- name: scaleway/scaleway-cli@v2.12.0
- name: scaleway/scaleway-cli@v2.12.0
What's pkgs/**/pkg.yaml for?
pkgs/**/pkg.yaml
are test data.
pkgs/**/pkg.yaml
are used to test if packages can be installed properly.
Note that pkgs/**/pkg.yaml
aren't lists of available versions.
You can install any versions not listed in pkgs/**/pkg.yaml
.
Trouble shooting
cmdx new
fails to push a commit to the origin
We removed cmdx new
from the guide.
You can still use cmdx new
, but if you have any trouble with cmdx new
, you can create a pull request without cmdx new
.
Please see the changelog for details.
If cmdx new
can't push a commit to a remote branch, please confirm if origin
is not the upstream aquaproj/aqua-registry
but your fork.
If origin
is not your fork, please change it to your fork.
e.g. Fail to push a commit
$ cmdx new pre-commit/pre-commit
# ...
+ git push origin feat/pre-commit/pre-commit
remote: Permission to aquaproj/aqua-registry.git denied to ***.
fatal: unable to access 'https://github.com/aquaproj/aqua-registry/': The requested URL returned error: 403
- If you haven't forked aquaproj/aqua-registry, please fork it.
- Check remote repositories.
git remote -v
- Please fix
origin
.
git remote set-url origin https://github.com/<your fork>
- Please set
upstream
if necessary.
git remote add upstream https://github.com/aquaproj/aqua-registry