Package release workflow

The diagram below illustrates a generic package release workflow with Rugged TUF signing integrated.


sequenceDiagram participant PP as Packaging
Pipeline participant FS as Shared
Filesystem(s) participant TUF as Rugged
CLI participant TARGETS as Targets
Worker participant SNAPSHOT as Snapshot
Worker participant TIMESTAMP as Timestamp
Worker autonumber activate PP PP->>PP: Clone code rect rgba(0, 255, 255, .1) note left of FS: <PACKAGE>-<VERSION>.zip PP->>PP: Build package PP->>FS: Upload package activate FS end rect rgba(0, 255, 0, .1) note left of FS: <PACKAGE>.json PP->>PP: Generate package
metadata PP->>FS: Upload package metadata end PP->>TUF: `rugged add-targets foo/foo.zip foo/package.json [...]` activate TUF rect rgba(0, 0, 255, .1) note right of FS: TUF signing TUF->>TARGETS: list of target files to sign activate TARGETS loop For each target file FS-->>TARGETS: Read target file TARGETS->>TARGETS: Update Targets metadata
(with signature of target file) end TARGETS->>TARGETS: Sign Targets metadata TARGETS-->>FS: Write updated Targets metadata note left of TUF: targets.json TARGETS->>TUF: Return status message deactivate TARGETS TUF->>PP: Print status message TUF->>SNAPSHOT: Trigger Snapshot update activate SNAPSHOT SNAPSHOT->>SNAPSHOT: Update and sign
Snapshot metadata SNAPSHOT-->>FS: Write updated Snapshot metadata note left of TUF: snapshot.json SNAPSHOT->>TUF: Return status message deactivate SNAPSHOT TUF->>PP: Print status message TUF->>TIMESTAMP: Trigger Timestamp update activate TIMESTAMP TIMESTAMP->>TIMESTAMP: Update and sign
Timestamp metadata TIMESTAMP-->>FS: Write updated Timestamp metadata deactivate FS note left of TUF: timestamp.json TIMESTAMP->>TUF: Return status message deactivate TIMESTAMP TUF->>PP: Print status message end deactivate TUF deactivate PP