dagger-modules
Installation
Entrypoint
Types
DaggerModules

dagger-modules

container images, and for verifying Kubernetes deployment repos.

Installation

dagger install git.xarif.de/base/dagger-modules@ce88abfa56c6237dcdeeae4f5242a77c8b16a272

Entrypoint

Return Type

DaggerModules

Example

dagger -m git.xarif.de/base/dagger-modules@ce88abfa56c6237dcdeeae4f5242a77c8b16a272 call \

func (m *MyModule) Example() *dagger.DaggerModules  {
	return dag.
			DaggerModules()
}

@function
def example() -> dagger.DaggerModules:
	return (
		dag.dagger_modules()
	)

@func()
example(): DaggerModules {
	return dag
		.daggerModules()
}

Types

DaggerModules 🔗

DaggerModules is the main entry point for the Dagger module.

buildImage() 🔗

BuildImage builds a container from a Dockerfile in the given source directory and, optionally, runs a YAML-defined test suite against the freshly-built container before returning it.

When --tests is omitted, the build is pure (no execution) and returns the container lazily. When --tests is supplied, tests are executed eagerly and any failure short-circuits the call with an error.

PublishImage delegates to this function; there is no separate TestImage.

Return Type

Container !

Arguments

Name	Type	Default Value	Description
source	Directory !	-	Source directory containing the Dockerfile
dockerfile	String	"Dockerfile"	Path to the Dockerfile relative to source root
buildArg	[String ! ]	-	Repeatable build arguments in KEY=VALUE form (e.g. `--build-arg=VERSION=1.2.3`)
buildSecret	[Secret ! ]	-	Repeatable build secrets, each provided as a Dagger secret. Inside the Dockerfile, mount as `RUN --mount=type=secret,id=<secret-name> ...`. The secret’s Dagger name (set via `--build-secret=name:env://VAR`) is used as the secret id.
platform	String	-	Target platform (e.g. `linux/amd64`, `linux/arm64`). Defaults to engine native.
target	String	-	Target build stage in a multi-stage Dockerfile.
tests	File	-	YAML test specification file. When provided, tests are executed against the built container and any failure aborts the call.
root	Directory	-	Root directory of the repository. Used to resolve mount paths in test specs independently of the build-context (–source). Defaults to the caller’s working directory.

Example

dagger -m git.xarif.de/base/dagger-modules@ce88abfa56c6237dcdeeae4f5242a77c8b16a272 call \
 build-image --source DIR_PATH

func (m *MyModule) Example(source *dagger.Directory) *dagger.Container  {
	return dag.
			DaggerModules().
			BuildImage(source)
}

@function
def example(source: dagger.Directory) -> dagger.Container:
	return (
		dag.dagger_modules()
		.build_image(source)
	)

@func()
example(source: Directory): Container {
	return dag
		.daggerModules()
		.buildImage(source)
}

publishImage() 🔗

PublishImage builds and pushes a container image to an OCI registry.

Always pushes two tags: latest and the sanitized --ref-name.

When --ref-name is a SemVer-style tag (e.g. v1.2.3), additional floating tags v1.2 and v1 are also pushed unless --no-semver-tags is set. This is the conventional pattern for shared-action and GitHub Action repositories.

Additional ad-hoc tags can be supplied via repeatable --extra-tag flags.

If --tests is provided, tests must pass before any push happens. The build+test phase is delegated to BuildImage so the two functions stay in lockstep.

Returns the digest of the ref-tagged push.

Return Type

String !

Arguments

Name	Type	Default Value	Description
source	Directory !	-	Source directory containing the Dockerfile
registry	String !	-	Registry address (hostname or URL — protocol prefix is stripped automatically)
username	String !	-	Registry username
password	Secret !	-	Registry password or token
repository	String !	-	Repository path, e.g. “myuser/myrepo” or “mygroup/myrepo”
refName	String !	-	Git ref name used as image tag alongside “latest”
dockerfile	String	"Dockerfile"	Path to the Dockerfile relative to source root
tests	File	-	YAML test specification file — if provided, tests must pass before pushing
buildArg	[String ! ]	-	Repeatable build arguments in KEY=VALUE form
buildSecret	[Secret ! ]	-	Repeatable build secrets
platform	String	-	Target platform (e.g. `linux/amd64`, `linux/arm64`)
target	String	-	Target build stage in a multi-stage Dockerfile
extraTag	[String ! ]	-	Repeatable extra tags to push in addition to `latest`
noSemverTags	Boolean	-	Disable automatic SemVer floating-tag derivation (vMAJOR, vMAJOR.MINOR)
root	Directory	-	Root directory of the repository. Used to resolve mount paths in test specs independently of the build-context (–source). Defaults to the caller’s working directory.

Example

dagger -m git.xarif.de/base/dagger-modules@ce88abfa56c6237dcdeeae4f5242a77c8b16a272 call \
 publish-image --source DIR_PATH --registry string --username string --password env:MYSECRET --repository string --ref-name string

func (m *MyModule) Example(ctx context.Context, source *dagger.Directory, registry string, username string, password *dagger.Secret, repository string, refName string) string  {
	return dag.
			DaggerModules().
			PublishImage(ctx, source, registry, username, password, repository, refName)
}

@function
async def example(source: dagger.Directory, registry: str, username: str, password: dagger.Secret, repository: str, ref_name: str) -> str:
	return await (
		dag.dagger_modules()
		.publish_image(source, registry, username, password, repository, ref_name)
	)

@func()
async example(source: Directory, registry: string, username: string, password: Secret, repository: string, refName: string): Promise<string> {
	return dag
		.daggerModules()
		.publishImage(source, registry, username, password, repository, refName)
}

verifyImages() 🔗

VerifyImages checks that container images exist in their registry and provide a manifest for the target platform(s), without a full image pull. It is the standalone counterpart to the images: block in VerifyKustomize: use it to verify explicit refs, or refs harvested from source files (Renovate annotations / extra_sources), independently of a kustomize build.

At least one ref must be resolvable (via –image, –tests extra_sources, or harvested annotations in –source), otherwise the call errors.

Return Type

String !

Arguments

Name	Type	Default Value	Description
image	[String ! ]	-	Explicit image references to verify (repeatable).
platform	[String ! ]	-	Target platform(s) each image must provide a manifest for (os/arch[/variant]). Defaults to linux/amd64 when unset.
strict	Boolean	-	Strict mode: additionally assert the resolved image’s architecture/os match the platform (catches a single-arch image pinned for the wrong platform).
ignore	[String ! ]	-	Refs to skip: exact ref or glob; prefix “re:” for a regex (repeatable).
registryConfig	Secret	-	Docker config.json (as a Dagger secret) for private registry auth. Optional — public images are checked anonymously.
source	Directory	-	Source directory scanned for extra_sources / Renovate annotations.
tests	File	-	Test spec file; reuses its images: block (platforms, ignore, extra_sources, strict, harvest). CLI flags override where set.
root	Directory	-	Root directory of the repository (uniform –root support).

Example

dagger -m git.xarif.de/base/dagger-modules@ce88abfa56c6237dcdeeae4f5242a77c8b16a272 call \
 verify-images

func (m *MyModule) Example(ctx context.Context) string  {
	return dag.
			DaggerModules().
			VerifyImages(ctx)
}

@function
async def example() -> str:
	return await (
		dag.dagger_modules()
		.verify_images()
	)

@func()
async example(): Promise<string> {
	return dag
		.daggerModules()
		.verifyImages()
}

verifyKustomize() 🔗

VerifyKustomize validates a Kubernetes deployment repo by checking that vendored Helm chart caches match the versions declared in kustomization.yaml and that kustomize build produces valid output.

When helmCharts entries are found, the function: - verifies charts/-/ exists for each entry - detects stale chart directories not matching any current entry - runs kustomize build --enable-helm .

When no helmCharts entries exist, it runs plain kustomize build ..

The build runs inside the provided toolImage container, which should match the production ArgoCD CMP image for version parity.

Return Type

String !

Arguments

Name	Type	Default Value	Description
source	Directory !	-	Kubernetes deployment repo root containing kustomization.yaml
toolImage	String	"registry.gitlab.com/xarif/docker/argocd-sops-cmp:latest"	Container image with kustomize + helm CLI tools. Must match the production ArgoCD CMP image for version parity.
root	Directory	-	Root directory of the repository. Accepted for forward-compatibility with future test/fixture mount support (same as build-image –root) and to allow dagger-call.sh to pass –root=. uniformly to all functions without per-function case logic.
tests	File	-	YAML test specification file for manifest validation. When provided, runs linters and custom assertions against the rendered kustomize build output. See docs/kubernetes-testing.md.
verifyImages	Boolean	true	Verify that referenced container images exist in their registry and provide a manifest for the target platform(s). Default-on (opt-out): set to false to skip entirely. Configuration (platforms, ignore, extra_sources, …) lives in the tests spec under the images: block.
registryConfig	Secret	-	Docker config.json (as a Dagger secret) providing registry credentials for the image-existence check against private registries. Optional — public images are checked anonymously. Example: `--registry-config=file:///root/.docker/config.json`.

Example

dagger -m git.xarif.de/base/dagger-modules@ce88abfa56c6237dcdeeae4f5242a77c8b16a272 call \
 verify-kustomize --source DIR_PATH

func (m *MyModule) Example(ctx context.Context, source *dagger.Directory) string  {
	return dag.
			DaggerModules().
			VerifyKustomize(ctx, source)
}

@function
async def example(source: dagger.Directory) -> str:
	return await (
		dag.dagger_modules()
		.verify_kustomize(source)
	)

@func()
async example(source: Directory): Promise<string> {
	return dag
		.daggerModules()
		.verifyKustomize(source)
}