Withdraw packages #175
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Withdraw packages | |
on: | |
workflow_dispatch: | |
# Don't withdraw during builds, to prevent out of sync signatures. | |
concurrency: build | |
permissions: | |
contents: read | |
jobs: | |
withdraw: | |
name: Withdraw packages | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: 0 # We want the full history for uploading withdrawn-packages.txt to GCS. If this takes too long, we look at merging both files. | |
# this need to point to main to always get the latest action | |
- name: "Install wolfictl onto PATH" | |
uses: wolfi-dev/actions/install-wolfictl@main # main | |
# This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf | |
- uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 | |
id: auth | |
with: | |
workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider" | |
service_account: "[email protected]" | |
- uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 | |
with: | |
project_id: "chainguard-github-secrets" | |
- uses: 'google-github-actions/get-secretmanager-secrets@e5bb06c2ca53b244f978d33348d18317a7f263ce' # v2.2.2 | |
id: secrets | |
with: | |
secrets: |- | |
token:chainguard-github-secrets/wolfi-dev-signing-key | |
- run: echo "${{ steps.secrets.outputs.token }}" > ./wolfi-signing.rsa | |
- run: | | |
sudo mkdir -p /etc/apk/keys | |
sudo cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub | |
# We use a different GSA for our interaction with GCS. | |
- uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 | |
with: | |
workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" | |
service_account: "[email protected]" | |
- uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 | |
with: | |
project_id: "prod-images-c6e5" | |
- name: Withdraw from index | |
run: | | |
set -euo pipefail | |
for arch in x86_64 aarch64; do | |
mkdir -p $arch | |
curl -v https://packages.wolfi.dev/os/$arch/APKINDEX.tar.gz 2>verbose | wolfictl withdraw $(grep -v '\#' withdrawn-packages.txt) --signing-key="${{ github.workspace }}/wolfi-signing.rsa" > $arch/APKINDEX.tar.gz | |
# Parse the object generation from the -v output. | |
GEN=$(grep "x-goog-generation" verbose | cut -d' ' -f3) | |
echo "APKINDEX.tar.gz object generation for ${arch} was ${GEN}" | |
# This will fail if the APKINDEX is modified between when we download it and when we upload the modified version. | |
# That's totally fine, just re-run the withdrawl workflow. | |
# This is a bit of a hack until we drop this APKINDEX entirely. | |
gcloud storage cp --if-generation-match="${GEN}" --cache-control="no-store" $arch/APKINDEX.tar.gz gs://wolfi-production-registry-destination/os/$arch/APKINDEX.tar.gz | |
done | |
- name: Delete withdrawn packages | |
run: | | |
set -euo pipefail | |
for arch in x86_64 aarch64; do | |
for pkg in $(grep -v '\#' withdrawn-packages.txt); do | |
echo "=> $pkg" | |
gsutil -m rm -f gs://wolfi-production-registry-destination/os/$arch/$pkg || true | |
done | |
done | |
- name: Upload full withdrawn packages list | |
run: | | |
set -euxo pipefail | |
git log -p -- withdrawn-packages.txt | grep "^+" | grep ".apk$" | cut -c2- | sort | uniq > all-withdrawn-packages.txt | |
gsutil cp \ | |
all-withdrawn-packages.txt \ | |
gs://wolfi-production-registry-destination/os/withdrawn-packages.txt | |
- name: Delete sbom packages from the lifecycle automation | |
run: | | |
set -euo pipefail | |
for arch in x86_64 aarch64; do | |
for pkg in $(grep -v '\#' withdrawn-packages.txt); do | |
echo "=> $pkg" | |
gsutil -m rm -f gs://insights-apk-sbom-prod/wolfi-production-registry-destination/os/$arch/$pkg.sbom.json || true | |
done | |
done | |
# use public chainguard provider. | |
- uses: chainguard-dev/setup-chainctl@8d93dcbef466d3cf3533f67084f52eb74ef9d262 # v0.2.4 | |
with: | |
# Managed here: | |
# https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/wolfi-os-pusher.tf | |
identity: "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31" | |
- name: 'Withdraw packages from apk.cgr.dev' | |
run: | | |
set -e | |
# Populate the token here, since chainctl auth token | |
# doesn't support all of the options we need. | |
chainctl auth login --audience apk.cgr.dev \ | |
--identity "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31" | |
echo "::add-mask::$(chainctl auth token --audience apk.cgr.dev)" | |
for arch in "aarch64" "x86_64"; do | |
while IFS= read -r pkg; do | |
curl -X DELETE \ | |
--user "user:$(chainctl auth token --audience apk.cgr.dev)" \ | |
"https://apk.cgr.dev/chainguard/${arch}/${pkg}" || true | |
done < <(grep -v -e '^$' -v '\#' withdrawn-packages.txt | cut -d':' -f2) # Ignore empty lines and comments | |
done | |
- uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 # v2.2.1 | |
if: failure() | |
env: | |
SLACK_ICON: http://github.com/chainguard-dev.png?size=48 | |
SLACK_USERNAME: guardian | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
SLACK_CHANNEL: chainguard-images-alerts | |
SLACK_COLOR: '#8E1600' | |
MSG_MINIMAL: 'true' | |
SLACK_TITLE: '[withdraw-packages] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}' | |
SLACK_MESSAGE: | | |
https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} |