{"id":47662611,"url":"https://github.com/cwaits6/apk-datasource","last_synced_at":"2026-04-08T19:00:27.617Z","repository":{"id":345023200,"uuid":"1182786058","full_name":"cwaits6/apk-datasource","owner":"cwaits6","description":"Auto-update pinned APK package versions in Dockerfiles via Renovate custom datasource","archived":false,"fork":false,"pushed_at":"2026-04-01T02:52:29.000Z","size":691,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-01T05:18:00.324Z","etag":null,"topics":["alpine","apk","datasource","docker","dockerfile","k8s","kubernetes","renovate","version-pinning","wolfi","wolfi-base"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cwaits6.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-16T00:32:50.000Z","updated_at":"2026-03-30T17:26:38.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/cwaits6/apk-datasource","commit_stats":null,"previous_names":["cwaits6/apk-datasource"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/cwaits6/apk-datasource","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cwaits6%2Fapk-datasource","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cwaits6%2Fapk-datasource/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cwaits6%2Fapk-datasource/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cwaits6%2Fapk-datasource/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cwaits6","download_url":"https://codeload.github.com/cwaits6/apk-datasource/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cwaits6%2Fapk-datasource/sbom","scorecard":{"id":1245430,"data":{"date":"2026-03-30T07:14:39Z","repo":{"name":"github.com/cwaits6/apk-datasource","commit":"410206a30a2db7ab0277cb888a039608866b6b05"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":4.5,"checks":[{"name":"Code-Review","score":5,"reason":"Found 11/22 approved changesets -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"project was created within the last 90 days. Please review its contents carefully","details":["Warn: Repository was created within the last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/pr.yml:14","Info: jobLevel 'contents' permission set to 'read': .github/workflows/pr.yml:13","Info: jobLevel 'contents' permission set to 'read': .github/workflows/pr.yml:18","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/pr.yml:22","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecard.yml:15","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:12","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/scorecard.yml:13","Warn: topLevel 'contents' permission set to 'write': .github/workflows/check-go-version.yml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:8","Warn: topLevel 'packages' permission set to 'write': .github/workflows/container-build.yml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/container-build.yml:10","Warn: topLevel 'contents' permission set to 'write': .github/workflows/generate-index.yml:9","Warn: topLevel 'contents' permission set to 'write': .github/workflows/goreleaser.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/pr.yml:8","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:8","Warn: no topLevel permission defined: .github/workflows/scorecard.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: RenovateBot: renovate.json:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}},{"name":"Pinned-Dependencies","score":2,"reason":"dependency not pinned by hash detected -- score normalized to 2","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/check-go-version.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/cwaits6/apk-datasource/check-go-version.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/check-go-version.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/cwaits6/apk-datasource/check-go-version.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-build.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/cwaits6/apk-datasource/container-build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/goreleaser.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/cwaits6/apk-datasource/goreleaser.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/cwaits6/apk-datasource/pr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/cwaits6/apk-datasource/pr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/cwaits6/apk-datasource/pr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/cwaits6/apk-datasource/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/scorecard.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/cwaits6/apk-datasource/scorecard.yml/main?enable=pin","Warn: containerImage not pinned by hash: deploy/docker/Dockerfile:1: pin your Docker image by updating cgr.dev/chainguard/wolfi-base:latest to cgr.dev/chainguard/wolfi-base:latest@sha256:a5a619c1793039dcf92f02178f37c94bb3d6001403716da59d6092dfe8d9b502","Warn: containerImage not pinned by hash: deploy/docker/Dockerfile:20: pin your Docker image by updating cgr.dev/chainguard/wolfi-base:latest to cgr.dev/chainguard/wolfi-base:latest@sha256:a5a619c1793039dcf92f02178f37c94bb3d6001403716da59d6092dfe8d9b502","Info:   9 out of  11 GitHub-owned GitHubAction dependencies pinned","Info:   2 out of   9 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"Branch-Protection","score":3,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Info: 'stale review dismissal' is required to merge on branch 'main'","Warn: branch 'main' does not require approvers","Warn: codeowners review is not required on branch 'main'","Warn: 'last push approval' is disabled on branch 'main'","Warn: no status checks found to merge onto branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.1.0 not signed: https://api.github.com/repos/cwaits6/apk-datasource/releases/301256669","Warn: release artifact v1.0.1 not signed: https://api.github.com/repos/cwaits6/apk-datasource/releases/298782366","Warn: release artifact v1.0.0 not signed: https://api.github.com/repos/cwaits6/apk-datasource/releases/298780437","Warn: release artifact v0.1.0 not signed: https://api.github.com/repos/cwaits6/apk-datasource/releases/298259872","Warn: release artifact v0.0.1 not signed: https://api.github.com/repos/cwaits6/apk-datasource/releases/298241473","Warn: release artifact v1.1.0 does not have provenance: https://api.github.com/repos/cwaits6/apk-datasource/releases/301256669","Warn: release artifact v1.0.1 does not have provenance: https://api.github.com/repos/cwaits6/apk-datasource/releases/298782366","Warn: release artifact v1.0.0 does not have provenance: https://api.github.com/repos/cwaits6/apk-datasource/releases/298780437","Warn: release artifact v0.1.0 does not have provenance: https://api.github.com/repos/cwaits6/apk-datasource/releases/298259872","Warn: release artifact v0.0.1 does not have provenance: https://api.github.com/repos/cwaits6/apk-datasource/releases/298241473"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 15 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"Contributors","score":3,"reason":"project has 1 contributing companies or organizations -- score normalized to 3","details":["Info: found contributions from: semantic-release"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"CI-Tests","score":9,"reason":"14 out of 15 merged PRs checked by a CI test -- score normalized to 9","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}}]},"last_synced_at":"2026-04-01T05:23:50.843Z","repository_id":345023200,"created_at":"2026-04-01T05:23:50.843Z","updated_at":"2026-04-01T05:23:50.843Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31305721,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T09:48:21.550Z","status":"ssl_error","status_checked_at":"2026-04-02T09:48:19.196Z","response_time":89,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["alpine","apk","datasource","docker","dockerfile","k8s","kubernetes","renovate","version-pinning","wolfi","wolfi-base"],"created_at":"2026-04-02T11:41:09.301Z","updated_at":"2026-04-02T11:41:09.939Z","avatar_url":"https://github.com/cwaits6.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003eapk-datasource\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"./docs/assets/icon.svg\" alt=\"apk-datasource logo\" width=\"220\" height=\"220\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://img.shields.io/github/go-mod/go-version/cwaits6/apk-datasource?logo=go\" alt=\"Go Version\"\u003e\n  \u003ca href=\"https://github.com/cwaits6/apk-datasource/releases/latest\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/cwaits6/apk-datasource?logo=github\" alt=\"Release\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/cwaits6/apk-datasource/actions/workflows/ci.yml\"\u003e\u003cimg src=\"https://github.com/cwaits6/apk-datasource/actions/workflows/ci.yml/badge.svg\" alt=\"CI\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/cwaits6/apk-datasource/actions/workflows/container-build.yml\"\u003e\u003cimg src=\"https://github.com/cwaits6/apk-datasource/actions/workflows/container-build.yml/badge.svg\" alt=\"Container Build\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://scorecard.dev/viewer/?uri=github.com/cwaits6/apk-datasource\"\u003e\u003cimg src=\"https://api.scorecard.dev/projects/github.com/cwaits6/apk-datasource/badge\" alt=\"OpenSSF Scorecard\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/cwaits6/apk-datasource/pkgs/container/apk-datasource\"\u003e\u003cimg src=\"https://img.shields.io/badge/ghcr.io-cwaits6%2Fapk--datasource-blue?logo=github\" alt=\"GHCR\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://hub.docker.com/r/cwaits6/apk-datasource\"\u003e\u003cimg src=\"https://img.shields.io/docker/v/cwaits6/apk-datasource?logo=docker\u0026label=docker%20hub\" alt=\"Docker Hub\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/cwaits6/apk-datasource/blob/main/LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/github/license/cwaits6/apk-datasource\" alt=\"License\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\nAuto-update pinned APK package versions in Dockerfiles using [Renovate](https://docs.renovatebot.com/).\n\n**The problem:** Working with Wolfi or Alpine containers? You pin APK packages for reproducibility — `apk add curl=8.11.1-r0` — but Renovate can't auto-update them. It has no built-in APK datasource. This tool fills that gap. See [renovatebot/renovate#5422](https://github.com/renovatebot/renovate/issues/5422) for context.\n\n## Why This Matters\n\n- **Automated updates** — Stop manually tracking APK package versions\n- **Reproducible builds** — Pin exact versions while staying current\n- **Works with Renovate** — Integrates with your existing dependency management workflow\n- **No server required** — Use the public hosted index, or deploy your own (Docker, Helm, GitLab CI, or binary)\n- **Supports Wolfi \u0026 Alpine** — Works with both Chainguard Wolfi and Alpine Linux indexes\n\n## Hosted Index (No Server Required)\n\nA public index for Wolfi x86_64 and aarch64 packages is hosted on GitHub Pages and refreshed every 4 hours. Point your Renovate config directly at it — no server to run:\n\n```text\nhttps://cwaits6.github.io/apk-datasource/x86_64/{{packageName}}.json\n```\n\n(Replace `{{packageName}}` with an actual package name, e.g., `curl`)\n\n**Test it:** Fetch the datasource for a package to see the available versions:\n\n```bash\ncurl -s https://cwaits6.github.io/apk-datasource/x86_64/curl.json | jq .\n```\n\nReplace `curl` with any APK package name to test others (e.g., `go`, `git`, `busybox`).\n\n## Renovate Setup\n\nAdd the following `customDatasources` and `customManagers` blocks to your existing `renovate.json`. Renovate will start opening PRs to update pinned APK versions (e.g. `curl=8.15.0-r2` -\u003e `curl=8.19.0-r1`):\n\n```json\n{\n  \"customDatasources\": {\n    \"apk-wolfi\": {\n      \"defaultRegistryUrlTemplate\": \"https://cwaits6.github.io/apk-datasource/x86_64/{{packageName}}.json\",\n      \"format\": \"json\"\n    }\n  },\n  \"customManagers\": [\n    {\n      \"customType\": \"regex\",\n      \"fileMatch\": [\"(^|/)Dockerfile[^/]*$\"],\n      \"matchStringsStrategy\": \"recursive\",\n      \"matchStrings\": [\n        \"apk\\\\s+add[^\\\\n\\\\\\\\]*(?:\\\\\\\\[^\\\\S\\\\n]*\\\\n[^\\\\n\\\\\\\\]*)*\",\n        \"(?\u003cdepName\u003e[a-zA-Z0-9][a-zA-Z0-9._+-]*)=(?\u003ccurrentValue\u003e\\\\d+[^\\\\s\\\\\\\\]+)\"\n      ],\n      \"datasourceTemplate\": \"custom.apk-wolfi\",\n      \"versioningTemplate\": \"loose\"\n    }\n  ]\n}\n```\n\n**Want to self-host instead?** See [Deployment](#deployment) for Docker, Helm, GitLab CI, or binary options. Replace the `defaultRegistryUrlTemplate` URL with your server address (e.g. `https://apk.example.com/x86_64/{{packageName}}.json`)\n\n## Quick Start\n\n### Install\n\nDownload a pre-built binary from [GitHub Releases](https://github.com/cwaits6/apk-datasource/releases/latest), or install from source:\n\n```bash\ngo install github.com/cwaits6/apk-datasource/cmd/apk-datasource@latest\n```\n\n### Generate static files\n\n```bash\napk-datasource generate --output-dir ./output\n```\n\n### Serve over HTTP\n\n```bash\napk-datasource serve\n```\n\nBoth commands default to the Chainguard Wolfi index for x86_64 and aarch64. Override with `--index-url` for other indexes (see [Available Indexes](#available-indexes)).\n\n## Deployment\n\n### Docker Compose\n\n```bash\ndocker compose -f deploy/docker/docker-compose.yml up -d\n```\n\nThe server runs on port 3000 with a 4-hour refresh interval. Edit `deploy/docker/docker-compose.yml` to customize settings.\n\n### Helm\n\n```bash\nhelm install apk-datasource ./charts/apk-datasource\n```\n\nSee [`charts/apk-datasource/`](charts/apk-datasource/) for all configurable values.\n\n## CLI Reference\n\n| Command | Description |\n|---------|-------------|\n| `apk-datasource generate` | Fetch indexes and write JSON files to disk |\n| `apk-datasource serve` | Serve JSON over HTTP with periodic refresh |\n| `apk-datasource version` | Print version info |\n\n### Global Flags\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--log-level` | `info` | Log level (debug, info, warn, error) |\n| `--log-format` | `text` | Log format (text, json) |\n\n### `generate` Flags\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--index-url` | Chainguard Wolfi x86_64 + aarch64 | APKINDEX.tar.gz URL (repeatable) |\n| `--output-dir` | `./output` | Output directory |\n| `--source-url` | *(auto-detect)* | Override source URL |\n| `--homepage` | *(from index)* | Override homepage |\n\n### `serve` Flags\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--index-url` | Chainguard Wolfi x86_64 + aarch64 | APKINDEX.tar.gz URL (repeatable) |\n| `--port` | `3000` | HTTP port |\n| `--refresh-interval` | `4h` | Refresh interval |\n| `--source-url` | *(auto-detect)* | Override source URL |\n| `--homepage` | *(from index)* | Override homepage |\n| `--metrics` | `true` | Enable Prometheus metrics on `/metrics` |\n\n## Metrics\n\nWhen `--metrics` is enabled (the default), the server exposes a Prometheus-compatible `/metrics` endpoint on the same port. Available metrics:\n\n| Metric | Type | Labels | Description |\n|--------|------|--------|-------------|\n| `http_requests_total` | Counter | method, path, status_code | Total HTTP requests |\n| `http_request_duration_seconds` | Histogram | method, path, status_code | Request latency |\n| `refresh_total` | Counter | status | Index refresh attempts |\n| `refresh_duration_seconds` | Histogram | status | Refresh latency |\n| `refresh_packages` | Gauge | — | Package count after last refresh |\n| `server_ready` | Gauge | — | Server readiness (0/1) |\n\nScrape with Prometheus:\n\n```yaml\nscrape_configs:\n  - job_name: apk-datasource\n    static_configs:\n      - targets: [\"localhost:3000\"]\n```\n\nThe Helm chart adds `prometheus.io/*` annotations automatically when `metrics.enabled` is `true`.\n\n## Available Indexes\n\nThe `--index-url` flag accepts any `APKINDEX.tar.gz` URL. Below are the most common public indexes:\n\n### Chainguard Wolfi (default)\n\n| Architecture | URL |\n|--------------|-----|\n| x86_64 | `https://apk.cgr.dev/chainguard/x86_64/APKINDEX.tar.gz` |\n| aarch64 | `https://apk.cgr.dev/chainguard/aarch64/APKINDEX.tar.gz` |\n\n### Alpine Linux\n\nReplace `v3.23` with your target version, or use `edge` for rolling.\n\n| Repository | Architecture | URL |\n|------------|--------------|-----|\n| main | x86_64 | `https://dl-cdn.alpinelinux.org/alpine/v3.23/main/x86_64/APKINDEX.tar.gz` |\n| main | aarch64 | `https://dl-cdn.alpinelinux.org/alpine/v3.23/main/aarch64/APKINDEX.tar.gz` |\n| community | x86_64 | `https://dl-cdn.alpinelinux.org/alpine/v3.23/community/x86_64/APKINDEX.tar.gz` |\n| community | aarch64 | `https://dl-cdn.alpinelinux.org/alpine/v3.23/community/aarch64/APKINDEX.tar.gz` |\n\nAlpine also supports `armv7`, `ppc64le`, `s390x`, and `riscv64` architectures.\n\n**Example — serve Alpine main + community:**\n\n```bash\napk-datasource serve \\\n  --index-url https://dl-cdn.alpinelinux.org/alpine/v3.23/main/x86_64/APKINDEX.tar.gz \\\n  --index-url https://dl-cdn.alpinelinux.org/alpine/v3.23/community/x86_64/APKINDEX.tar.gz\n```\n\n## How It Works\n\n`apk-datasource` fetches `APKINDEX.tar.gz` archives from Wolfi or Alpine repositories, parses the package metadata, and outputs one JSON file per package conforming to Renovate's [custom datasource schema](https://docs.renovatebot.com/modules/datasource/custom/):\n\n```json\n{\n  \"releases\": [\n    { \"version\": \"8.11.1-r0\" }\n  ],\n  \"sourceUrl\": \"https://github.com/wolfi-dev/os\",\n  \"homepage\": \"https://curl.se\"\n}\n```\n\nTwo modes: `generate` writes static JSON files to disk, `serve` runs an HTTP server with periodic refresh.\n\n## Contributing\n\n1. Fork the repo\n2. Create a feature branch\n3. Submit a pull request\n\n## License\n\n[Apache-2.0](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcwaits6%2Fapk-datasource","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcwaits6%2Fapk-datasource","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcwaits6%2Fapk-datasource/lists"}