Reference

Adapters

The adapter families ota can use to provision runtimes and tools.

referenceautomation buildersintermediatestable2026-05-30

When to use this page

Use this page when you want to know which adapter families ota can use for provisioning and why the split matters.

Keep installer adapters separate from source adapters so policy and execution stay easy to reason about.

Supported today

Shipped set

These are the built-in mutating provisioning adapters ota can actually use today.

Runtime-oriented adapters

sdkman and uv are the runtime-oriented adapters in the shipped set.

Policy rule

Policy should use these shipped adapters when it wants ota to provision.

Built-in provisioning adapterstext
miseasdfsdkmanuvwingetchocoscoopbrewaptdnfpacman

Installer adapters

Installer adapters install or select a declared runtime or tool.

Use them when ota should install or select the toolchain itself and make progress in the repo.

Source adapters

Source adapters tell ota where the installer should fetch from.

That can be an internal mirror, private registry, approved vendor source, artifact cache, offline bundle, or enterprise package proxy.

Platform-specific provisioning

Use platforms when the same runtime or tool should resolve to different sources on macOS, Linux, and Windows.

The root rule acts as the default, and the platform rule overrides it when the current OS matches.

  • macOS uses the explicit platforms.macos rule.
  • Linux uses the apt override.
  • Windows uses the choco override.
  • One contract stays in policy while the source changes by OS.
platform-policy.yamlyaml
policies:  provisioning:    node:      source: brew      approved_versions:        - "22"      platforms:        macos:          source: brew          approved_versions:            - "22"        linux:          source: apt          source_config:            sources_list:              - deb http://mirror.local/debian bookworm main          approved_versions:            - "22"        windows:          source: choco          source_config:            feed: internal-choco          approved_versions:            - "22"

macOS and Linux split

Use one policy when macOS still uses brew, Linux uses apt, and Java stays on sdkman in both places.

This is the shape to copy when a repo must stay host-friendly on macOS but container-friendly on Linux.

  • macOS keeps brew for the repo tools.
  • Linux/container targets use apt for the repo tools, and doctor --mode container now checks whether supported package-manager pins such as apt, brew, dnf, and pacman are actually installable in the selected image.
  • Windows uses choco for the same repo tools, including java, when the org wants a Windows-native source-manager path.
  • Bootstrap stays explicit so the adapter source is visible and reviewable.
example-policy.yamlyaml
policies:  adapter_bootstrap:    brew:      source: brew-bootstrap      approved_versions:        - "4.4"    choco:      source: choco-bootstrap      approved_versions:        - "2.0.0"    sdkman:      source: sdkman-bootstrap      approved_versions:        - "1.0"  native_packages:    apt:      approved:        - build-essential        - libpq-dev    brew:      approved:        - pkg-config  provisioning:    curl:      source: brew      approved_versions:        - "8.7.1"      platforms:        macos:          source: brew          approved_versions:            - "8.7.1"        linux:          source: apt          approved_versions:            - "8.7.1"        windows:          source: choco          approved_versions:            - "8.7.1"    jq:      source: brew      approved_versions:        - "1.7.1"      platforms:        macos:          source: brew          approved_versions:            - "1.7.1"        linux:          source: apt          approved_versions:            - "1.7.1"        windows:          source: choco          approved_versions:            - "1.7.1"    java:      source: sdkman      approved_versions:        - "21"      platforms:        macos:          source: sdkman          approved_versions:            - "21"        linux:          source: sdkman          approved_versions:            - "21"        windows:          source: choco          approved_versions:            - "21"    maven:      source: brew      approved_versions:        - "3.9.9"      platforms:        macos:          source: brew          approved_versions:            - "3.9.9"        linux:          source: apt          approved_versions:            - "3.9.9"        windows:          source: choco          approved_versions:            - "3.9.9"    node:      source: brew      approved_versions:        - "22"      platforms:        macos:          source: brew          approved_versions:            - "22"        linux:          source: apt          approved_versions:            - "22"        windows:          source: choco          approved_versions:            - "22"    yq:      source: brew      approved_versions:        - "4.52.5"      platforms:        macos:          source: brew          approved_versions:            - "4.52.5"        linux:          source: apt          approved_versions:            - "4.52.5"        windows:          source: choco          approved_versions:            - "4.52.5"

Custom source configuration

Use the adapter-specific source_config key that matches the package manager. That keeps approved taps, buckets, feeds, and mirrors visible in policy instead of hiding them in scripts.

The adapter family stays the same. Only the source details change.

Chocolatey feed

Use source_config.feed when Chocolatey should point at an approved internal feed or mirror.

This keeps Windows package policy visible and reviewable.

org-policy-choco.yamlyaml
policies:  provisioning:    node:      source: choco      source_config:        feed: internal-choco      approved_versions:        - "22"

Winget source

Use source_config.source_name when an approved Windows source should back installs.

The installed package still comes from the shipped winget adapter.

org-policy-winget.yamlyaml
policies:  provisioning:    dotnet:      source: winget      source_config:        source_name: internal-winget      approved_versions:        - "8.0.4"

Scoop bucket

Use source_config.bucket_name and bucket_url when an approved Scoop bucket should back installs.

That keeps the bucket choice reviewable in policy.

org-policy-scoop.yamlyaml
policies:  provisioning:    git:      source: scoop      source_config:        bucket_name: internal-scoop        bucket_url: https://mirror.local/scoop      approved_versions:        - "2.46.0"

apt mirror

Use source_config.sources_list when you need approved Debian or Ubuntu deb entries.

The mirror stays visible in policy instead of hiding in a script.

org-policy-apt.yamlyaml
policies:  provisioning:    curl:      source: apt      source_config:        sources_list:          - deb http://mirror.local/debian bookworm main      approved_versions:        - "8.7.1"

dnf mirror

Use source_config.baseurl and repo_id when you want an approved Fedora or RHEL mirror.

The temporary repo label stays reviewable in policy.

org-policy-dnf.yamlyaml
policies:  provisioning:    git:      source: dnf      source_config:        repo_id: internal-fedora        baseurl: https://mirror.local/fedora/40/x86_64      approved_versions:        - "2.46.0"

Homebrew tap

Use source_config.tap_name and tap_url when an approved Homebrew tap should back installs.

That keeps the tap visible in policy instead of hardcoding it in a script.

org-policy-brew.yamlyaml
policies:  provisioning:    git:      source: brew      source_config:        tap_name: internal/homebrew        tap_url: https://mirror.local/homebrew      approved_versions:        - "2.46.0"

Sample policy

Use a policy block when you want ota to know which source is approved for a runtime or tool.

org-policy.yamlyaml
policies:  provisioning:    node:      source: pacman      approved_versions:        - "22"    git:      source: brew      approved_versions:        - "2.46.0"

What it is not

  • not a general package manager list
  • not a promise that every source adapter is shipped today
  • not a hidden workstation manager
  • not a replacement for repo contracts, env policy, or checks