Skip to main content

EXTENSIONS

User-built models, drivers, vaults, and reports — the parts that plug into swamp.

Filter by what you need and pull what fits.

Selection
2 results
label:buildx

Base Images

@hivemq/base-images · v2026.06.29.159

A declared fleet of base OCI images we keep security-patched. The whole job — what to patch (`source` = registry/repository/tag), how (`patch`, default: apply all pending security updates), where to publish (`destination` = repository/tag under a run-time `registry`), and what to assert (`expect`, optional version floor) — lives in the model instance's `globalArguments.images`, so a single `swamp model method run <instance> patch --input registry=<registry[/namespace]>` builds, verifies, and pushes every image. The destination registry is the `registry` arg (or `globalArguments.registry`), so one instance retargets to a different registry per run. No workflow. Verify is foreknowledge-free (asserts no security updates remain pending on every platform), which fits a scheduled cadence; an optional per-image `expect` adds a version floor. Composes the pure logic of @hivemq/oci/image/patch and the buildx wrapper of @hivemq/docker; it is the only one of the three that drives buildx. Motivated by PLT-941 (openssl CVE-2026-45447): own the patch cadence instead of waiting on upstream base rebuilds.

upd Jun 2925 pullsD50/100

Docker

@hivemq/docker · v2026.06.26.156

Thin swamp wrapper around the `docker` CLI. Image-lifecycle subset: `build` (single-platform, locally runnable), `run`, `buildInspectPlatforms` (build each arch single-arch with `buildx --load` + run an inspection command, capturing all output in one `inspected` resource — the verify-before-push primitive), `login`, and `buildx build --push` (multi-arch build + push). Each method mirrors a `docker` subcommand so workflows can drive the build/run/publish lifecycle without bespoke shell steps.

upd Jun 264 pullsD50/100