artifact-keeper/artifact-keeper
GitHub: artifact-keeper/artifact-keeper
一个用 Rust 构建的企业级开源制品仓库,支持 45+ 种包格式,内置安全扫描和边缘复制功能。
Stars: 423 | Forks: 15
# Artifact Keeper
[](https://github.com/artifact-keeper/artifact-keeper/actions/workflows/ci.yml)
[](https://sonarcloud.io/dashboard?id=artifact-keeper_artifact-keeper)
[](https://sonarcloud.io/dashboard?id=artifact-keeper_artifact-keeper)
[](https://sonarcloud.io/dashboard?id=artifact-keeper_artifact-keeper)
[](https://sonarcloud.io/dashboard?id=artifact-keeper_artifact-keeper)
[](LICENSE)
[](https://www.rust-lang.org/)
[](https://hub.docker.com/u/artifactkeeper)
[](https://ko-fi.com/bsgeraci)
一个企业级、开源的制品仓库,支持 **45+ 种包格式**。使用 Rust 构建。
[文档](https://artifactkeeper.com/docs/) | [演示](https://demo.artifactkeeper.com) | [网站](https://artifactkeeper.com)
## 亮点
- **45+ 种包格式** - 原生协议支持 Maven、PyPI、NPM、Docker/OCI、Cargo、Go、Helm 等 38 种以上格式
- **WASM 插件系统** - 通过 WebAssembly 扩展自定义格式处理器(基于 WIT,Wasmtime 运行时)
- **安全扫描** - 使用 Trivy 和 Grype 进行自动化漏洞检测、策略引擎、隔离工作流
- **加固容器** - 所有镜像均基于符合 [DISA STIG](https://www.cyber.mil/stigs/) 标准的 Red Hat UBI 9 基础镜像构建,非 root 执行,运行时无 shell 或包管理器
- **Borg 复制** - 递归对等网格,支持基于集群的制品分发和 P2P 传输
- **全文搜索** - 基于 Meilisearch 的跨仓库和制品搜索
- **多认证方式** - 支持 JWT、OpenID Connect、LDAP、SAML 2.0 和 API token
- **Artifactory 迁移** - 内置工具,用于从 JFrog Artifactory 迁移仓库、制品和权限
- **制品签名** - GPG 和 RSA 签名集成到 Debian、RPM、Alpine 和 Conda 处理器中
## 系统架构
```
graph LR
Client["CLI / Package Manager / Frontend"]
Backend["Backend
Rust · Axum
45+ format handlers"] DB[(PostgreSQL 16)] Storage["Storage
Filesystem / S3"] Meili["Meilisearch
Full-text search"] Trivy["Trivy
Container & FS scanning"] Grype["Grype
Dependency scanning"] OpenSCAP["OpenSCAP
Compliance scanning"] Peer1["Peer Instance"] Peer2["Peer Instance"] Client --> Backend Backend --> DB Backend --> Storage Backend --> Meili Backend --> Trivy Backend --> Grype Backend --> OpenSCAP Backend <-->|Borg Replication| Peer1 Backend <-->|Borg Replication| Peer2 Peer1 <-->|P2P Mesh| Peer2 ``` ## 后端架构 后端采用分层架构,通过中间件管道处理每个请求。 ``` flowchart TD REQ["HTTP Request"] --> MW["Middleware Pipeline"] subgraph MW["Middleware"] direction LR CORS["CORS"] --> AUTH["Auth
JWT · OIDC · LDAP
SAML · API Key"] AUTH --> RL["Rate Limiter"] RL --> TRACE["Tracing
+ Metrics"] TRACE --> DEMO["Demo Mode
Guard"] end MW --> ROUTER["Router
50+ route groups"] subgraph HANDLERS["Handler Layer"] FMT["Format Handlers
Maven · PyPI · NPM
Docker · 41 more"] CORE["Core Handlers
Repos · Artifacts
Users · Auth"] ADV["Advanced Handlers
Security · Plugins
Peers · Migration"] end ROUTER --> HANDLERS subgraph SERVICES["Service Layer"] direction LR ART["Artifact
Service"] REPO["Repository
Service"] SCAN["Scanner
Service"] PLUG["Plugin
Service"] SEARCH["Search
Service"] end HANDLERS --> SERVICES subgraph DATA["Data Layer"] direction LR PG[(PostgreSQL)] FS["Storage
FS / S3"] MS["Meilisearch"] SC["Trivy / Grype / OpenSCAP"] end SERVICES --> DATA ``` ## 支持的包格式 按生态系统组织的 45+ 种格式。每种格式都有一个与其包管理器通信协议一致的原生协议处理器。 ### 语言与运行时 | Format | Aliases | Ecosystem | |--------|---------|-----------| | **Maven** | Gradle | Java, Kotlin, Scala | | **NPM** | Yarn, Bower, pnpm | JavaScript, TypeScript | | **PyPI** | Poetry, Conda | Python | | **NuGet** | Chocolatey, PowerShell | .NET, C# | | **Cargo** | | Rust | | **Go** | | Go modules | | **RubyGems** | | Ruby | | **Hex** | | Elixir, Erlang | | **Composer** | | PHP | | **Pub** | | Dart, Flutter | | **CocoaPods** | | iOS, macOS | | **Swift** | | Swift Package Manager | | **CRAN** | | R | | **SBT** | Ivy | Scala, Java | ### 容器与基础设施 | Format | Aliases | Ecosystem | |--------|---------|-----------| | **Docker / OCI** | Podman, Buildx, ORAS, WASM OCI, Helm OCI | Container images | | **Helm** | | Kubernetes charts | | **Terraform** | OpenTofu | Infrastructure modules | | **Vagrant** | | VM boxes | ### 系统包 | Format | Ecosystem | |--------|-----------| | **RPM** | RHEL, Fedora, CentOS | | **Debian** | Ubuntu, Debian | | **Alpine** | Alpine Linux (APK) | | **Conda** | Conda channels | | **OPKG** | OpenWrt, embedded Linux | ### 配置管理 | Format | Ecosystem | |--------|-----------| | **Chef** | Chef Supermarket | | **Puppet** | Puppet Forge | | **Ansible** | Ansible Galaxy | ### ML / AI | Format | Ecosystem | |--------|-----------| | **HuggingFace** | Models, datasets | | **ML Model** | Generic ML artifacts | ### 编辑器扩展 | Format | Aliases | Ecosystem | |--------|---------|-----------| | **VS Code** | | Extension marketplace (VS Code, Cursor, Windsurf, Kiro) | | **JetBrains** | | Plugin repository | ### Schemas | Format | Ecosystem | |--------|-----------| | **Protobuf / BSR** | Buf Schema Registry, Connect RPC | ### 其他 | Format | Ecosystem | |--------|-----------| | **Conan** | C, C++ | | **Git LFS** | Large file storage | | **Bazel** | Bazel modules | | **P2** | Eclipse plugins | | **Generic** | Any file type | ## 安全扫描流水线 每次制品上传都会自动扫描已知漏洞。 ``` flowchart LR UP["Artifact
Upload"] --> HASH{"SHA-256
Dedup"} HASH -->|New artifact| T["Trivy
FS Scanner"] HASH -->|New artifact| G["Grype
Dependency Scanner"] HASH -->|Already scanned| CACHE["Cached
Results"] T --> SCORE["Vulnerability
Score A-F"] G --> SCORE CACHE --> SCORE SCORE --> POL{"Policy
Engine"} POL -->|Pass| OK["Stored"] POL -->|Fail| Q["Quarantined"] ``` - **双扫描器** - Trivy 用于文件系统/容器分析,Grype 用于依赖树分析 - **评分** - 根据漏洞严重程度和数量进行 A 到 F 级评分 - **策略** - 可配置的规则,用于阻止或隔离制品 - **签名** - 针对 Debian、RPM、Alpine 和 Conda 包的 GPG/RSA 签名 ## Borg 复制 递归点对点复制,其中每个节点都是完整的 Artifact Keeper 实例。没有瘦缓存——每个对等点都运行相同的堆栈,并可以作为其他对等点的源。 ``` graph TD P1["Peer
US-West"] P2["Peer
EU-Central"] P3["Peer
AP-Southeast"] P4["Peer
US-East"] P1 <-->|"Chunked Transfer"| P2 P1 <-->|"Chunked Transfer"| P4 P2 <-->|"Chunked Transfer"| P3 P3 <-->|"Chunked Transfer"| P4 P1 <-->|"P2P Mesh"| P3 P2 <-->|"P2P Mesh"| P4 ``` - **递归对等点** - 每个对等点都是一个完整的实例(后端、数据库、存储),可以发起到其他对等点的复制 - **基于集群的分发** - 制品根据需求在网格中复制 - **分块传输** - 大型制品被拆分,以便在不稳定链路上可靠传输 - **网络感知调度** - 带宽和延迟分析,以实现最佳路由 ## WASM 插件系统 使用编译为 WebAssembly 的自定义格式处理器扩展 Artifact Keeper。 - **基于 WIT 的接口** - 插件实现定义良好的 `FormatHandler` 契约 - **Wasmtime 运行时** - 沙盒执行,具有基于燃料的 CPU 限制和内存上限 - **热重载** - 无需重启即可安装、启用、禁用和重载插件 - **来源** - 从 Git 仓库或 ZIP 上传加载 ## 快速开始 ``` mkdir artifact-keeper && cd artifact-keeper curl -fsSLO https://raw.githubusercontent.com/artifact-keeper/artifact-keeper/main/docker-compose.yml curl -fsSLO https://raw.githubusercontent.com/artifact-keeper/artifact-keeper/main/docker/Caddyfile docker compose up -d ``` 打开 [http://localhost:30080](http://localhost:30080) 并按照首次设置说明操作。 ### 从局域网内的另一台机器访问 在开发模式下(`ENVIRONMENT=development`,默认值),CORS 自动允许来自私有网络 IP(`192.168.x.x`、`10.x.x.x`、`172.16-31.x.x`)和 localhost 的请求。无需额外配置——只需从局域网内的任何机器打开 `http://:30080`。
对于生产部署,请在 `.env` 中将 `CORS_ORIGINS` 设置为用户将访问的公共 URL:
```
ENVIRONMENT=production
CORS_ORIGINS=https://registry.example.com
```
**[完整快速入门指南 →](https://artifactkeeper.com/docs/getting-started/quickstart/)**
## 文档
- **[快速入门](https://artifactkeeper.com/docs/getting-started/quickstart/)** — 5 分钟内开始运行
- **[安装](https://artifactkeeper.com/docs/getting-started/installation/)** — Docker Compose 或从源代码构建
- **[配置](https://artifactkeeper.com/docs/getting-started/configuration/)** — 环境变量参考
- **[包格式](https://artifactkeeper.com/docs/package-formats/)** — 所有 45+ 种支持的格式
- **[Docker 部署](https://artifactkeeper.com/docs/deployment/docker/)** — 生产环境设置指南
## 项目结构
```
artifact-keeper/
├── backend/ # Rust backend (Axum, SQLx, 429 unit tests)
│ ├── src/
│ │ ├── api/ # Handlers, middleware, routes
│ │ ├── formats/ # 45+ format handler implementations
│ │ ├── services/ # Business logic (35+ services)
│ │ ├── models/ # Data models (18 types)
│ │ └── storage/ # FS and S3 backends
│ └── migrations/ # 33 PostgreSQL migrations
├── edge/ # Peer replication service (Rust)
├── scripts/ # Test runners, native client tests, stress tests
└── .github/ # CI/CD workflows
```
## 技术选型
| Layer | Choice | Why |
|-------|--------|-----|
| Backend language | **Rust** | 内存安全、高性能、强类型系统 |
| Web framework | **Axum** | Tower 中间件生态系统、异步优先 |
| Database | **PostgreSQL 16** | JSONB 用于元数据、成熟的生态系统 |
| Search | **Meilisearch** | 快速全文搜索、易于操作 |
| Security scanning | **Trivy + Grype + OpenSCAP** | 互补覆盖、行业标准 |
| Plugin runtime | **Wasmtime** | 沙盒化、可移植、WIT 契约系统 |
| Storage | **Filesystem / S3** | 简单的默认值、云端就绪的升级路径 |
## CI/CD 流水线
七个 GitHub Actions 工作流负责测试、发布和部署。
```
flowchart TD
subgraph TRIGGER["Triggers"]
PUSH["Push / PR
to main"] TAG["Tag v*"] CRON["Daily 2 AM UTC"] SITE_PUSH["Push to site/**"] end subgraph CI["ci.yml — Every Push/PR"] direction TB LINT["🦀 Lint Rust
fmt + clippy"] UNIT["🧪 Unit Tests
cargo test --lib"] INTEG["🔗 Integration Tests
+ PostgreSQL
(main push only)"] SMOKE["🔥 Smoke E2E
PyPI · npm · Cargo
docker-compose.test.yml"] AUDIT["🔒 Security Audit
cargo audit"] CI_OK["✅ CI Complete"] LINT --> UNIT LINT --> INTEG UNIT --> SMOKE SMOKE --> CI_OK AUDIT --> CI_OK end subgraph DOCKER["docker-publish.yml — Push to main / tags"] direction TB BE_BUILD["Backend
amd64 + arm64"] OS_BUILD["OpenSCAP
amd64 + arm64"] BE_MERGE["Multi-Arch
Manifest"] OS_MERGE["Multi-Arch
Manifest"] BE_BUILD --> BE_MERGE OS_BUILD --> OS_MERGE end subgraph E2E["e2e.yml — Manual / called by release"] direction TB PKI["🔐 Setup PKI
TLS + GPG"] NATIVE["📦 Native Client Tests
10 formats"] STRESS["🔥 Stress Tests
100 concurrent uploads"] FAILURE["💥 Failure Tests
crash · db · storage"] PKI --> NATIVE NATIVE --> STRESS NATIVE --> FAILURE end subgraph RELEASE["release.yml — Tags v*"] direction TB E2E_GATE["🚦 E2E Gate
all formats + stress + failure"] BINARIES["📦 Build Binaries
linux + macOS
amd64 + arm64"] GH_RELEASE["🚀 GitHub Release
binaries + checksums"] E2E_GATE --> BINARIES BINARIES --> GH_RELEASE end subgraph NIGHTLY["scheduled-tests.yml — Daily"] direction TB NIGHTLY_E2E["🌙 Nightly Smoke E2E"] DEP_CHECK["🔍 Dependency Check"] SEC_SCAN["🔒 Security Scan"] end subgraph SITE["site.yml"] PAGES["📄 Build + Deploy
GitHub Pages"] end subgraph AMI["ami-build.yml"] PACKER["🖥️ Packer Build AMI"] end PUSH --> CI PUSH --> DOCKER TAG --> RELEASE TAG --> DOCKER CRON --> NIGHTLY SITE_PUSH --> SITE GH_RELEASE -.->|"on release published"| AMI classDef trigger fill:#6f42c1,color:#fff,stroke:#6f42c1 classDef ci fill:#2ea44f,color:#fff,stroke:#2ea44f classDef docker fill:#0969da,color:#fff,stroke:#0969da classDef release fill:#d97706,color:#fff,stroke:#d97706 class PUSH,TAG,CRON,SITE_PUSH trigger class LINT,UNIT,INTEG,SMOKE,AUDIT,CI_OK ci class BE_BUILD,OS_BUILD,BE_MERGE,OS_MERGE docker class E2E_GATE,BINARIES,GH_RELEASE release ``` | Workflow | Trigger | What It Does | |----------|---------|--------------| | **ci.yml** | 每次推送/PR | Lint、单元测试、集成测试、冒烟 E2E(PyPI、npm、Cargo) | | **docker-publish.yml** | 推送到 main,标签 | 多架构 Docker 镜像(后端 + OpenSCAP)发布到 ghcr.io | | **e2e.yml** | 手动或由发布触发 | 完整 E2E:10 种原生客户端格式、压力测试、故障注入 | | **release.yml** | `v*` 标签 | E2E 门控、跨平台二进制文件、GitHub Release | | **scheduled-tests.yml** | 每日 UTC 凌晨 2 点 | 每晚冒烟 E2E、依赖检查、安全扫描 | | **site.yml** | 推送到 `site/**` | 构建文档并部署到 GitHub Pages | | **ami-build.yml** | 发布发布后 | 使用 Packer 烘焙 AWS AMI | ## 贡献 我们欢迎贡献!请参阅 [CONTRIBUTING.md](CONTRIBUTING.md) 了解指南。 有问题或想法?加入 [GitHub Discussions](https://github.com/artifact-keeper/artifact-keeper/discussions) 中的讨论。 ## 许可证 MIT 许可证 - 详见 [LICENSE](LICENSE)。 使用 Rust 构建。“JFrog”和“Artifactory”是 JFrog Ltd. 的商标。Artifact Keeper 与 JFrog 无关联且未被其认可。
Rust · Axum
45+ format handlers"] DB[(PostgreSQL 16)] Storage["Storage
Filesystem / S3"] Meili["Meilisearch
Full-text search"] Trivy["Trivy
Container & FS scanning"] Grype["Grype
Dependency scanning"] OpenSCAP["OpenSCAP
Compliance scanning"] Peer1["Peer Instance"] Peer2["Peer Instance"] Client --> Backend Backend --> DB Backend --> Storage Backend --> Meili Backend --> Trivy Backend --> Grype Backend --> OpenSCAP Backend <-->|Borg Replication| Peer1 Backend <-->|Borg Replication| Peer2 Peer1 <-->|P2P Mesh| Peer2 ``` ## 后端架构 后端采用分层架构,通过中间件管道处理每个请求。 ``` flowchart TD REQ["HTTP Request"] --> MW["Middleware Pipeline"] subgraph MW["Middleware"] direction LR CORS["CORS"] --> AUTH["Auth
JWT · OIDC · LDAP
SAML · API Key"] AUTH --> RL["Rate Limiter"] RL --> TRACE["Tracing
+ Metrics"] TRACE --> DEMO["Demo Mode
Guard"] end MW --> ROUTER["Router
50+ route groups"] subgraph HANDLERS["Handler Layer"] FMT["Format Handlers
Maven · PyPI · NPM
Docker · 41 more"] CORE["Core Handlers
Repos · Artifacts
Users · Auth"] ADV["Advanced Handlers
Security · Plugins
Peers · Migration"] end ROUTER --> HANDLERS subgraph SERVICES["Service Layer"] direction LR ART["Artifact
Service"] REPO["Repository
Service"] SCAN["Scanner
Service"] PLUG["Plugin
Service"] SEARCH["Search
Service"] end HANDLERS --> SERVICES subgraph DATA["Data Layer"] direction LR PG[(PostgreSQL)] FS["Storage
FS / S3"] MS["Meilisearch"] SC["Trivy / Grype / OpenSCAP"] end SERVICES --> DATA ``` ## 支持的包格式 按生态系统组织的 45+ 种格式。每种格式都有一个与其包管理器通信协议一致的原生协议处理器。 ### 语言与运行时 | Format | Aliases | Ecosystem | |--------|---------|-----------| | **Maven** | Gradle | Java, Kotlin, Scala | | **NPM** | Yarn, Bower, pnpm | JavaScript, TypeScript | | **PyPI** | Poetry, Conda | Python | | **NuGet** | Chocolatey, PowerShell | .NET, C# | | **Cargo** | | Rust | | **Go** | | Go modules | | **RubyGems** | | Ruby | | **Hex** | | Elixir, Erlang | | **Composer** | | PHP | | **Pub** | | Dart, Flutter | | **CocoaPods** | | iOS, macOS | | **Swift** | | Swift Package Manager | | **CRAN** | | R | | **SBT** | Ivy | Scala, Java | ### 容器与基础设施 | Format | Aliases | Ecosystem | |--------|---------|-----------| | **Docker / OCI** | Podman, Buildx, ORAS, WASM OCI, Helm OCI | Container images | | **Helm** | | Kubernetes charts | | **Terraform** | OpenTofu | Infrastructure modules | | **Vagrant** | | VM boxes | ### 系统包 | Format | Ecosystem | |--------|-----------| | **RPM** | RHEL, Fedora, CentOS | | **Debian** | Ubuntu, Debian | | **Alpine** | Alpine Linux (APK) | | **Conda** | Conda channels | | **OPKG** | OpenWrt, embedded Linux | ### 配置管理 | Format | Ecosystem | |--------|-----------| | **Chef** | Chef Supermarket | | **Puppet** | Puppet Forge | | **Ansible** | Ansible Galaxy | ### ML / AI | Format | Ecosystem | |--------|-----------| | **HuggingFace** | Models, datasets | | **ML Model** | Generic ML artifacts | ### 编辑器扩展 | Format | Aliases | Ecosystem | |--------|---------|-----------| | **VS Code** | | Extension marketplace (VS Code, Cursor, Windsurf, Kiro) | | **JetBrains** | | Plugin repository | ### Schemas | Format | Ecosystem | |--------|-----------| | **Protobuf / BSR** | Buf Schema Registry, Connect RPC | ### 其他 | Format | Ecosystem | |--------|-----------| | **Conan** | C, C++ | | **Git LFS** | Large file storage | | **Bazel** | Bazel modules | | **P2** | Eclipse plugins | | **Generic** | Any file type | ## 安全扫描流水线 每次制品上传都会自动扫描已知漏洞。 ``` flowchart LR UP["Artifact
Upload"] --> HASH{"SHA-256
Dedup"} HASH -->|New artifact| T["Trivy
FS Scanner"] HASH -->|New artifact| G["Grype
Dependency Scanner"] HASH -->|Already scanned| CACHE["Cached
Results"] T --> SCORE["Vulnerability
Score A-F"] G --> SCORE CACHE --> SCORE SCORE --> POL{"Policy
Engine"} POL -->|Pass| OK["Stored"] POL -->|Fail| Q["Quarantined"] ``` - **双扫描器** - Trivy 用于文件系统/容器分析,Grype 用于依赖树分析 - **评分** - 根据漏洞严重程度和数量进行 A 到 F 级评分 - **策略** - 可配置的规则,用于阻止或隔离制品 - **签名** - 针对 Debian、RPM、Alpine 和 Conda 包的 GPG/RSA 签名 ## Borg 复制 递归点对点复制,其中每个节点都是完整的 Artifact Keeper 实例。没有瘦缓存——每个对等点都运行相同的堆栈,并可以作为其他对等点的源。 ``` graph TD P1["Peer
US-West"] P2["Peer
EU-Central"] P3["Peer
AP-Southeast"] P4["Peer
US-East"] P1 <-->|"Chunked Transfer"| P2 P1 <-->|"Chunked Transfer"| P4 P2 <-->|"Chunked Transfer"| P3 P3 <-->|"Chunked Transfer"| P4 P1 <-->|"P2P Mesh"| P3 P2 <-->|"P2P Mesh"| P4 ``` - **递归对等点** - 每个对等点都是一个完整的实例(后端、数据库、存储),可以发起到其他对等点的复制 - **基于集群的分发** - 制品根据需求在网格中复制 - **分块传输** - 大型制品被拆分,以便在不稳定链路上可靠传输 - **网络感知调度** - 带宽和延迟分析,以实现最佳路由 ## WASM 插件系统 使用编译为 WebAssembly 的自定义格式处理器扩展 Artifact Keeper。 - **基于 WIT 的接口** - 插件实现定义良好的 `FormatHandler` 契约 - **Wasmtime 运行时** - 沙盒执行,具有基于燃料的 CPU 限制和内存上限 - **热重载** - 无需重启即可安装、启用、禁用和重载插件 - **来源** - 从 Git 仓库或 ZIP 上传加载 ## 快速开始 ``` mkdir artifact-keeper && cd artifact-keeper curl -fsSLO https://raw.githubusercontent.com/artifact-keeper/artifact-keeper/main/docker-compose.yml curl -fsSLO https://raw.githubusercontent.com/artifact-keeper/artifact-keeper/main/docker/Caddyfile docker compose up -d ``` 打开 [http://localhost:30080](http://localhost:30080) 并按照首次设置说明操作。 ### 从局域网内的另一台机器访问 在开发模式下(`ENVIRONMENT=development`,默认值),CORS 自动允许来自私有网络 IP(`192.168.x.x`、`10.x.x.x`、`172.16-31.x.x`)和 localhost 的请求。无需额外配置——只需从局域网内的任何机器打开 `http://
to main"] TAG["Tag v*"] CRON["Daily 2 AM UTC"] SITE_PUSH["Push to site/**"] end subgraph CI["ci.yml — Every Push/PR"] direction TB LINT["🦀 Lint Rust
fmt + clippy"] UNIT["🧪 Unit Tests
cargo test --lib"] INTEG["🔗 Integration Tests
+ PostgreSQL
(main push only)"] SMOKE["🔥 Smoke E2E
PyPI · npm · Cargo
docker-compose.test.yml"] AUDIT["🔒 Security Audit
cargo audit"] CI_OK["✅ CI Complete"] LINT --> UNIT LINT --> INTEG UNIT --> SMOKE SMOKE --> CI_OK AUDIT --> CI_OK end subgraph DOCKER["docker-publish.yml — Push to main / tags"] direction TB BE_BUILD["Backend
amd64 + arm64"] OS_BUILD["OpenSCAP
amd64 + arm64"] BE_MERGE["Multi-Arch
Manifest"] OS_MERGE["Multi-Arch
Manifest"] BE_BUILD --> BE_MERGE OS_BUILD --> OS_MERGE end subgraph E2E["e2e.yml — Manual / called by release"] direction TB PKI["🔐 Setup PKI
TLS + GPG"] NATIVE["📦 Native Client Tests
10 formats"] STRESS["🔥 Stress Tests
100 concurrent uploads"] FAILURE["💥 Failure Tests
crash · db · storage"] PKI --> NATIVE NATIVE --> STRESS NATIVE --> FAILURE end subgraph RELEASE["release.yml — Tags v*"] direction TB E2E_GATE["🚦 E2E Gate
all formats + stress + failure"] BINARIES["📦 Build Binaries
linux + macOS
amd64 + arm64"] GH_RELEASE["🚀 GitHub Release
binaries + checksums"] E2E_GATE --> BINARIES BINARIES --> GH_RELEASE end subgraph NIGHTLY["scheduled-tests.yml — Daily"] direction TB NIGHTLY_E2E["🌙 Nightly Smoke E2E"] DEP_CHECK["🔍 Dependency Check"] SEC_SCAN["🔒 Security Scan"] end subgraph SITE["site.yml"] PAGES["📄 Build + Deploy
GitHub Pages"] end subgraph AMI["ami-build.yml"] PACKER["🖥️ Packer Build AMI"] end PUSH --> CI PUSH --> DOCKER TAG --> RELEASE TAG --> DOCKER CRON --> NIGHTLY SITE_PUSH --> SITE GH_RELEASE -.->|"on release published"| AMI classDef trigger fill:#6f42c1,color:#fff,stroke:#6f42c1 classDef ci fill:#2ea44f,color:#fff,stroke:#2ea44f classDef docker fill:#0969da,color:#fff,stroke:#0969da classDef release fill:#d97706,color:#fff,stroke:#d97706 class PUSH,TAG,CRON,SITE_PUSH trigger class LINT,UNIT,INTEG,SMOKE,AUDIT,CI_OK ci class BE_BUILD,OS_BUILD,BE_MERGE,OS_MERGE docker class E2E_GATE,BINARIES,GH_RELEASE release ``` | Workflow | Trigger | What It Does | |----------|---------|--------------| | **ci.yml** | 每次推送/PR | Lint、单元测试、集成测试、冒烟 E2E(PyPI、npm、Cargo) | | **docker-publish.yml** | 推送到 main,标签 | 多架构 Docker 镜像(后端 + OpenSCAP)发布到 ghcr.io | | **e2e.yml** | 手动或由发布触发 | 完整 E2E:10 种原生客户端格式、压力测试、故障注入 | | **release.yml** | `v*` 标签 | E2E 门控、跨平台二进制文件、GitHub Release | | **scheduled-tests.yml** | 每日 UTC 凌晨 2 点 | 每晚冒烟 E2E、依赖检查、安全扫描 | | **site.yml** | 推送到 `site/**` | 构建文档并部署到 GitHub Pages | | **ami-build.yml** | 发布发布后 | 使用 Packer 烘焙 AWS AMI | ## 贡献 我们欢迎贡献!请参阅 [CONTRIBUTING.md](CONTRIBUTING.md) 了解指南。 有问题或想法?加入 [GitHub Discussions](https://github.com/artifact-keeper/artifact-keeper/discussions) 中的讨论。 ## 许可证 MIT 许可证 - 详见 [LICENSE](LICENSE)。 使用 Rust 构建。“JFrog”和“Artifactory”是 JFrog Ltd. 的商标。Artifact Keeper 与 JFrog 无关联且未被其认可。
标签:Angular, Artifactory 替代, Cargo, Cilium, DevOps 工具链, DevSecOps, Docker, Grype, Helm Chart, Linux 基金会, Maven, Nexus 替代, NPM, PyPI, Rust, SBOM, WASM 插件, WebAssembly, 上游代理, 二进制仓库, 企业级, 包管理, 可视化界面, 安全扫描, 安全防御评估, 开源制品库, 文档安全, 时序注入, 测试用例, 漏洞探索, 漏洞验证, 硬件无关, 策略引擎, 网络安全挑战, 网络流量审计, 请求拦截, 跌倒检测, 软件物料清单, 边缘复制, 通用制品仓库, 通知系统, 通知系统