{"id":24186304,"url":"https://github.com/kanocomputing/kart","last_synced_at":"2025-09-21T10:31:36.805Z","repository":{"id":25243744,"uuid":"102864338","full_name":"KanoComputing/kart","owner":"KanoComputing","description":"Kano Archive and Release Tool","archived":false,"fork":false,"pushed_at":"2022-04-28T20:00:39.000Z","size":175,"stargazers_count":2,"open_issues_count":2,"forks_count":3,"subscribers_count":19,"default_branch":"master","last_synced_at":"2025-07-07T08:51:03.256Z","etag":null,"topics":["dev-tools"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/KanoComputing.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-09-08T13:28:28.000Z","updated_at":"2022-10-12T03:34:48.000Z","dependencies_parsed_at":"2022-07-25T10:17:08.650Z","dependency_job_id":null,"html_url":"https://github.com/KanoComputing/kart","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/KanoComputing/kart","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KanoComputing%2Fkart","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KanoComputing%2Fkart/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KanoComputing%2Fkart/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KanoComputing%2Fkart/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/KanoComputing","download_url":"https://codeload.github.com/KanoComputing/kart/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KanoComputing%2Fkart/sbom","scorecard":{"id":77013,"data":{"date":"2025-08-11","repo":{"name":"github.com/KanoComputing/kart","commit":"a9b82d4995ae1e2fb33de64d324956b594991af8"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":1.7,"checks":[{"name":"Code-Review","score":3,"reason":"Found 6/20 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":0,"reason":"license file not detected","details":["Warn: project does not have a license file"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 17 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"60 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-6chw-6frg-f759","Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw","Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw","Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25","Warn: Project is vulnerable to: GHSA-rrc9-gqf8-8rwg","Warn: Project is vulnerable to: GHSA-pp7h-53gx-mx7r","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-c6rq-rjc2-86v2","Warn: Project is vulnerable to: GHSA-6cpc-mj5c-m9rq","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c","Warn: Project is vulnerable to: GHSA-ff7x-qrg7-qggm","Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97","Warn: Project is vulnerable to: GHSA-q42p-pg8m-cqh6","Warn: Project is vulnerable to: GHSA-w457-6q6x-cgp9","Warn: Project is vulnerable to: GHSA-62gr-4qp9-h98f","Warn: Project is vulnerable to: GHSA-f52g-6jhx-586p","Warn: Project is vulnerable to: GHSA-2cf5-4w76-r9qv","Warn: Project is vulnerable to: GHSA-3cqr-58rm-57f8","Warn: Project is vulnerable to: GHSA-g9r4-xpmj-mj65","Warn: Project is vulnerable to: GHSA-q2c6-c6pm-g3gh","Warn: Project is vulnerable to: GHSA-765h-qjxv-5f44","Warn: Project is vulnerable to: GHSA-f2jv-r9rf-7988","Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj","Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37","Warn: Project is vulnerable to: GHSA-2pr6-76vf-7546","Warn: Project is vulnerable to: GHSA-8j8c-7jfh-h6hx","Warn: Project is vulnerable to: GHSA-4xc9-xhrj-v574","Warn: Project is vulnerable to: GHSA-x5rq-j2xg-h7qm","Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695","Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw","Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9","Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm","Warn: Project is vulnerable to: GHSA-wx77-rp39-c6vg","Warn: Project is vulnerable to: GHSA-9cw2-jqp5-7x39","Warn: Project is vulnerable to: GHSA-cfjh-p3g4-3q2f","Warn: Project is vulnerable to: GHSA-hjcp-j389-59ff","Warn: Project is vulnerable to: GHSA-vfvf-mqq8-rwqc","Warn: Project is vulnerable to: GHSA-7px7-7xjx-hxm8","Warn: Project is vulnerable to: GHSA-x5pg-88wf-qq4p","Warn: Project is vulnerable to: GHSA-p9wx-2529-fp83","Warn: Project is vulnerable to: GHSA-5v2h-r2cx-5xgj","Warn: Project is vulnerable to: GHSA-rrrm-qjm4-v8hf","Warn: Project is vulnerable to: GHSA-4xcv-9jjx-gfj3","Warn: Project is vulnerable to: GHSA-hxm2-r34f-qmc5","Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3","Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m","Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h","Warn: Project is vulnerable to: GHSA-hj48-42vr-x3v9","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-4rq4-32rv-6wp6","Warn: Project is vulnerable to: GHSA-64g7-mvw6-v9qj","Warn: Project is vulnerable to: GHSA-mxhp-79qh-mcx6","Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx","Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v","Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6","Warn: Project is vulnerable to: GHSA-cf4h-3jhx-xvhq","Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc","Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh","Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-15T05:05:42.565Z","repository_id":25243744,"created_at":"2025-08-15T05:05:42.565Z","updated_at":"2025-08-15T05:05:42.565Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":276228989,"owners_count":25606937,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-21T02:00:07.055Z","response_time":72,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dev-tools"],"created_at":"2025-01-13T12:35:02.834Z","updated_at":"2025-09-21T10:31:36.513Z","avatar_url":"https://github.com/KanoComputing.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# kart — Kano Archive and Release Tool\n\n[![Build Status](https://travis-ci.org/KanoComputing/kart.svg?branch=master)](https://travis-ci.org/KanoComputing/kart)\n\nKart is a library and CLI tool to help managing releases. It has two main usecases:\n\n * Archiving builds per project and stability channel\n * Releasing builds from the archive\n\n It uses AWS S3 as a storage provider for the archive. The release process has been\n designed in a modular way to allow for a wide range of deploy methods to be supported\n in the future. The only one implemented right now is, again, S3.\n\nKart stores all the builds and part of its configuration in a **root bucket** that\nyou'll need to setup on your system before using it.\n\n\n## Installation\n\nKart is hosted on [npm](https://www.npmjs.com/package/kart). Run the following command to install it\n\n    npm i -g kart\n\n\n## Configuration\n\nThis section explains what you need to do before you can start using kart.\n\n### Local\n\nBy default, kart will look for a configuration file in your home directory:\n\n```\n~/.kartrc\n```\n\nOn the inside it's a JSON file with the following structure:\n\n```json\n{\n    \"rootBucket\": {\n        \"name\": \"\u003c\u003cyour-root-S3-bucket-name-here\u003e\u003e\",\n        \"config\": \"kart-projects.json\"\n    },\n    \"awsKey\": \"...\",\n    \"awsSecret\": \"...\"\n}\n```\n\nOnly `rootBucket.name` is mandatory. You can use `rootBucket.config` to override where kart\nwill be looking for the remote config inside your root bucket. You can also provide AWS\ncredentials as the example above shows. If omitted, kart will use your\n[system AWS settings](http://docs.aws.amazon.com/cli/latest/userguide/cli-config-files.html)\nby default.\n\n### Remote\n\n_You only need to do this if you're setting up a new archive from scratch._\n\nAs most of kart's configuration is central to a particular archive, it makes sense\nto store it remotely rather then keep local copies on clients. For that, you'll\nneed to create an S3 bucket on AWS first. The kart configuration will live in a\n`kart-projects.json` file stored at the root of the bucket (configurable via\nthe `rootBucket.config` option described above). The file looks something like this:\n\n```json\n{\n    \"motd\": [\n        \"An optional message of the day that will be shown\",\n        \"to users working with this archive.\",\n        \"\",\n        \"Can span multiple lines like so!\"\n    ],\n    \"projects\": {\n        \"example-project\": {\n            \"github\": \"username/project\",\n            \"channels\": {\n                \"staging\": {\n                    \"deploy\": {\n                      \"method\": \"s3\",\n                      \"bucket\": \"example-staging-target\"\n                    },\n                    \"url\": \"https://where-is-this-served.url\"\n                },\n                \"production\": {\n                    \"deploy\": {\n                      \"method\": \"s3\",\n                      \"bucket\": \"example-production-target\"\n                    }\n                }\n            }\n        }\n    }\n}\n```\n\nYou can have as many projects and channels per project as you like. S3 is the only\navailable deploy method at the moment.\n\n## Working with the UI\n\nThe `kart` npm package whips with an eponymous binary that let's you easily archive\nand release builds from the terminal. When in doubt, use\n\n    kart [\u003ccommand\u003e] --help\n\nto print the usage of the command.\n\n### Releasing builds\n\nTo release an existing build of a project to one of the target channels type\n\n    kart release\n\nA simple interface will pop up and kart will walk you through the process. You\nselect a project, target stream and build you want to release, and kart\nwill deploy it.\n\n![kart release](https://i.imgur.com/bjNSzUx.png)\n\nYou can use the `status` command to verify that everything went well.\n\n    kart status\n\n### Archiving builds\n\nYou shouldn't need to be archiving builds by hand, but when used in Jenkins\nintegrations the `archive` command can be useful.\n\n    kart archive\n\nUnlike the two commands above, `archive` isn't interactive. You need to specify\neverything upfront via options. Run\n\n    kart archive --help\n\nto get the full list. Basically, you need to provide\n\n * A folder with the build\n * Project name\n * Version\n * Git revision\n * (optionally) Target architecture\n\nKart will then `tar` and `gzip` the folder and upload it to the archive with\nthe correct naming and metadata conventions.\n\nIf you're building an npm project from a git repository, you can use the\n`--from-repo` option which will try to autodetect project name and version\nfrom the `package.json` file and take the revision from `git rev-parse HEAD`.\n\nYou can also use the `--release` option which will archive the build and\nrelease it at the same time, saving you a step in your scripts.\n\nAt the `archive` command prints a public URL where the build can be downloaded.\n\n## Working with the library\n\nYou can use kart from gulp files or any other node-based scripts as follows:\n\n```js\nvar kart = require('kart');\n\nkart.configure()\n    .then(() =\u003e {\n        return kart.archive.store(\n            './www',            // Build directory\n            'example-project',  // Project name\n            'staging',          // Channel\n            '1.0.0',            // Version\n            null,               // Optional build number\n            null,               // Optional arch (defaults to 'all')\n            {   // metadata\n                revision: '371952bccbf69b7529faf2da6d7539db8f8152cb'\n            }\n        );\n    })\n    .then((build) =\u003e {\n        return kart.release(build);\n    })\n    .catch((err) =\u003e {\n        console.log(err);\n    });\n```\n\n## Deploy Methods\n\nA list of supported methods of releasing your builds. These can be configured\nper channel in your archive's `kart-projects.json` file.\n\n### S3\n\n```json\n    {\n        \"method\": \"s3\",\n        \"bucket\": \"target-bucket\",\n        \"algorithm\": \"clear|overwrite|sync\"\n    }\n```\n\nThis method only has one option: the target bucket where your files should be\nunpacked. They will be uploaded directly to the root of the bucket with\n`public-read` ACL. At the moment, kart expets the bucket to be hosted under\nthe same account as your root bucket is.\n\n#### Upload algorithms\n\nOptionally, you can change the way kart uploads the file into the bucket by\nsetting the `algorithm` option to one of the following\n\n* **clear** (_default behaviour_): Empty the target bucked and upload the new build into it.\n* **overwrite**: Upload the new build into the bucket without removing everyting first.\n* **sync**: Use `aws s3 sync` to deploy into the bucket.\n\n### S3 Copy\n\n```json\n    {\n        \"method\": \"s3-copy\",\n        \"track\": \"internal\",\n        \"namePattern\": \":project_:version-:number_:arch.:ext\"\n    }\n```\n\nThis method copies an archive to a release track. A release track is located in the same directory as an archive.\nThis method will not download and extract your archive, it will copy the s3 object across\n\n#### Naming\n\nOptionally, you can change the naming of the relased file using the namePattern option\n\nThis option will receive the following properties from the archive:\n```\nproject\nchannel\nversion\nnumber\narch\next\n```\nAnd replace the keys in your name pattern\n\n## TODO\n\n * Additional deploy-methods\n * Builds cleanup via the kart binary\n * UI for remote configuration management via the kart binary\n   * Adding/removing projects\n * UI for listing and downloading builds\n * Make a Github release when pushing to certain channels\n\n## Licence\n\nCopyright (c) 2017 Kano Computing Limited\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkanocomputing%2Fkart","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkanocomputing%2Fkart","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkanocomputing%2Fkart/lists"}