Bosca / Artifacts

Registries

The protocols your tools already speak

A repository's type decides the protocol it speaks. docker push, gradle publish, npm install, helm repo add — the standard tools work as-is, because the registry implements each one's real protocol rather than a lookalike.

Docker & OCI

A real container registry

Docker repositories implement the OCI distribution API — the same endpoints Docker and every OCI-compatible client already speak.

  • Chunked blob uploads with tracked sessions; content is verified against its declared digest before a blob is accepted.
  • Layers deduplicate — clients check a blob by digest first, and bytes that exist are never stored twice.
  • Manifests resolve by tag or digest, tag lists paginate, and the catalog lists only what you're allowed to see.
  • Tags are mutable pointers to immutable, digest-addressed manifests — re-push latest and only the pointer moves.
library/api · tags
latestsha256:9f86d081…
v1.4.0sha256:9f86d081…
v1.3.2sha256:a1b0c7d4…
two tags, one manifest — stored once

Maven

A repository Gradle understands

Standard Maven layout, real metadata — point a build at the registry and publish or resolve with plain coordinates, no plugins.

  • POMs are parsed on upload — the coordinates inside the POM are what place the artifact, not just the path it was pushed to.
  • maven-metadata.xml is generated — version lists with latest and release, SNAPSHOT-aware.
  • Checksum files (.sha1, .md5, .sha256) accompany every artifact.
  • Beyond jars: sources, javadoc, .aar, Kotlin .klib, Gradle .module metadata, and .asc signatures — Kotlin Multiplatform publishes cleanly.
io/bosca/core
io/bosca/core/6.0.16/
  core-6.0.16.pom
  core-6.0.16.jar
  core-6.0.16.module
  core-6.0.16.jar.sha256
io/bosca/core/
  maven-metadata.xml   ← generated

And four more

npm, Helm, models & files

The same namespaces, permissions, and content-addressed storage behind four more repository types.

npm

  • Scoped and unscoped packages, published straight from npm publish.
  • dist-tags like latest resolve exactly as npm expects; tarballs carry shasums and SRI integrity.
  • A search endpoint that returns only the packages the caller may see.

Helm

  • index.yaml is generated on request from the charts in the namespace.
  • Push a .tgz and its Chart.yaml is parsed into version metadata.
  • helm repo add and helm install work against any namespace.

ML models

  • One versioned model archive per version — push, list, pull, delete.
  • A dedicated service principal with push and pull tokens is provisioned on first boot.
  • Recommendation models are published and served from the registry.

Raw files

  • Any files, versioned — several per version for platform-specific binaries.
  • Push and pull over plain HTTP, each blob addressed by filename.
  • List versions and their files; delete a version when it's done.

Keep exploring

More on Artifacts