Starlarky
VGS edition of Google's safe and hermetically sealed Starlark language - a non-Turing complete subset of Python 3.
Install / Use
/learn @verygoodsecurity/StarlarkyREADME
Description
Starlarky is VGS in-house edition of Bazel's hermetically-sealed language created by Google called Starlark. This language is used to run "unsafe" user-submitted code without exposing service at whole to possible attack and/or vulnerabilities. Starlark has Python-like syntax and is created to support same structure of additional libraries. Key differences between Starlark and Python can be found here
Project overview
Starlarky is presented as a monorepo with different modules
Libstarlark
Libstarlark is a maven module, that contains Starlark compiler from bazelbuild This module is being periodically updated from bazelbuild via this script to maintain relevancy.
See more at Libstarlarky README
To build run this command:
mvn versions:set -DnewVersion=<your-version> -pl libstarlark (optional)
mvn clean package -pl libstarlark
Larky
Larky is a maven module, that contains VGS additions to Starlark language. Some additions ispired and taken from Copybara
Here are some of them:
- JSR223 script engine
- Annotations to define additional libraries
- Extension modules
To build run this command:
mvn versions:set -DnewVersion=<your-version> -pl larky (optional)
mvn versions:set-property -Dproperty=libstarlark.version -DnewVersion=<larky-version> -pl larky
mvn clean package -pl larky
Runlarky
Runlarky is an example Larky invocation application It builds as a Quarkus executable and gives ability to run Larky with input parameters.
To build run this command:
mvn versions:set -DnewVersion=<your-version> -pl runlarky (optional)
mvn versions:set-property -Dproperty=starlarky.version -DnewVersion=<larky-version> -pl runlarky
mvn clean package -pl runlarky -Pnative
This would build larky-runner executable in runlarky/target directory, that can be run from terminal
Pylarky
Pylarky is pip lib-wrapper for runlarky to make larky calls conveniently from Python.
Building and Running Tests
docker-compose build
docker compose run --rm maven /bin/sh -c "./install_graalvm.sh && ./build-and-test-java.sh"
docker compose run --rm python /bin/sh -c "./build-and-test-python.sh"
Run individual larky stdlib test
mvn -Dtest='StdLibTest*' -Dlarky.stdlib_test=test_bytes.star org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M5:test -pl larky
Developer setup
In addition to having Maven installed, it must be configured to retrieve artifacts from Github.
-
Generate an access token using Github's instructions. The token needs
read:packagesscopes. -
You must enable SSO for verygoodsecurity
-
Place the token in your
~/.m2/settings.xmlfile. For example (look forgithub-usernameandgithub-api-keyto be replaced with your values):
<?xml version='1.0' encoding='us-ascii'?>
<settings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
<localRepository />
<interactiveMode />
<usePluginRegistry />
<offline />
<pluginGroups />
<servers>
<server>
<id>github</id>
<username>github-username</username>
<password>github-api-key</password>
</server>
</servers>
<mirrors />
<proxies />
<profiles />
<activeProfiles />
</settings>
Deployment process
Release-please plugin manages creation of tag&release.
Related Skills
node-connect
345.9kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
106.4kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
345.9kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
345.9kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
