Skip to content

Add OCI skill packager using ocispec types#23

Merged
JAORMX merged 1 commit intomainfrom
oci-skills-packager-impl
Feb 7, 2026
Merged

Add OCI skill packager using ocispec types#23
JAORMX merged 1 commit intomainfrom
oci-skills-packager-impl

Conversation

@JAORMX
Copy link
Contributor

@JAORMX JAORMX commented Feb 6, 2026

Summary

  • Implement the SkillPackager interface from interfaces.go
  • Uses canonical ocispec types from github.com/opencontainers/image-spec/specs-go/v1 — no custom OCI struct definitions
  • Reads skill directories, parses SKILL.md YAML frontmatter for metadata
  • Creates per-platform OCI configs (ocispec.Image) with skill metadata in labels
  • Creates manifests (ocispec.Manifest) with skill annotations and artifactType
  • Creates multi-platform image indexes (ocispec.Index)
  • Uses digest.FromBytes for diff ID computation, specs.Versioned for schema version
  • Builds on the deterministic tar/gzip from Add deterministic tar and gzip utilities for OCI skills #22

Security:

  • Rejects symlinks (both files and directories via d.Type() check)
  • Rejects hardlinks and device entries
  • Path traversal protection in filesystem reads
  • Frontmatter size capped at 64KB to mitigate YAML parsing attacks
  • Nil store panics at construction time

New dependencies: github.com/opencontainers/image-spec, gopkg.in/yaml.v3 (promoted from indirect)

Resolves #16

Test plan

  • task passes (lint + test)
  • task license-check passes
  • Reproducibility: same input produces identical digests across separate stores
  • Multi-platform: per-platform configs match index descriptor os/arch
  • Security: symlink files, symlink directories, missing SKILL.md, missing name, invalid frontmatter, nonexistent dir all rejected
  • OCI config: validates architecture, OS, rootfs, diff IDs, labels, history
  • Index: validates schema version, media type, artifact type, annotations

🤖 Generated with Claude Code

@JAORMX @claude
Add OCI skill packager using ocispec types
1f2e06d 
Implement the SkillPackager interface with deterministic OCI artifact
creation from skill directories. Uses canonical ocispec types from
github.com/opencontainers/image-spec for OCI 1.1 compliance.

Reads SKILL.md YAML frontmatter for metadata, creates per-platform
OCI configs (ocispec.Image) with skill metadata in labels, manifests
(ocispec.Manifest) with annotations, and multi-platform image indexes
(ocispec.Index). Uses digest.FromBytes for diff IDs and
specs.Versioned for schema version.

Security: rejects symlinks (files and directories), hardlinks, device
entries, and path traversal in filesystem reads. Nil store panics at
construction. Frontmatter capped at 64KB.

New dependencies: github.com/opencontainers/image-spec, gopkg.in/yaml.v3

Resolves: #16

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@JAORMX JAORMX requested review from jhrozek and rdimitrov February 6, 2026 19:31
@JAORMX JAORMX mentioned this pull request Feb 6, 2026
Closed
17 tasks
@JAORMX JAORMX merged commit 3a54b8b into main Feb 7, 2026
5 checks passed
@JAORMX JAORMX deleted the oci-skills-packager-impl branch February 7, 2026 04:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rdimitrov rdimitrov rdimitrov approved these changes

@jhrozek jhrozek Awaiting requested review from jhrozek

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OCI Skills Library: Reproducible packager

2 participants

@JAORMX @rdimitrov