Withdraw packages #83
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Withdraw packages | |
| on: | |
| workflow_dispatch: | |
| # Don't withdraw during builds, to prevent out of sync signatures. | |
| concurrency: build | |
| jobs: | |
| build: | |
| name: Withdraw packages | |
| runs-on: ubuntu-16-core | |
| permissions: | |
| id-token: write | |
| packages: write | |
| contents: read | |
| steps: | |
| # In some cases, we runs out of disk space during tests, so this hack frees up approx 10G. | |
| # See the following issue for more info: https://github.com/actions/runner-images/issues/2840#issuecomment-1284059930 | |
| - name: Free up runner disk space | |
| shell: bash | |
| run: | | |
| set -x | |
| sudo rm -rf /usr/share/dotnet | |
| sudo rm -rf "$AGENT_TOOLSDIRECTORY" | |
| - uses: actions/checkout@v4 | |
| - name: "Install wolfictl onto PATH" | |
| run: | | |
| # Copy wolfictl out of the wolfictl image and onto PATH | |
| TMP=$(mktemp -d) | |
| docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:4d0f3a583bbd631ea40bc0f284a5918cf47d50a3f421084212316f4b63ba50be -c "cp /usr/bin/wolfictl /out" | |
| echo "$TMP" >> $GITHUB_PATH | |
| - id: auth | |
| name: 'Authenticate to Google Cloud' | |
| uses: google-github-actions/auth@v0 | |
| with: | |
| workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" | |
| service_account: "[email protected]" | |
| - uses: google-github-actions/setup-gcloud@v0 | |
| with: | |
| project_id: prod-images-c6e5 | |
| - run: echo "${{ secrets.MELANGE_RSA }}" > ./wolfi-signing.rsa | |
| - run: | | |
| sudo mkdir -p /etc/apk/keys | |
| sudo cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub | |
| - name: Withdraw from index | |
| run: | | |
| set -euo pipefail | |
| for arch in x86_64 aarch64; do | |
| mkdir -p $arch | |
| curl https://packages.wolfi.dev/os/$arch/APKINDEX.tar.gz | wolfictl withdraw $(grep -v '\#' withdrawn-packages.txt) --signing-key="${{ github.workspace }}/wolfi-signing.rsa" > $arch/APKINDEX.tar.gz | |
| done | |
| - name: Delete withdrawn packages | |
| run: | | |
| set -euo pipefail | |
| for arch in x86_64 aarch64; do | |
| for pkg in $(grep -v '\#' withdrawn-packages.txt); do | |
| echo "=> $pkg" | |
| gsutil -m rm -f gs://wolfi-production-registry-destination/os/$arch/$pkg || true | |
| done | |
| done | |
| - name: Upload modified index | |
| run: | | |
| set -euxo pipefail | |
| for arch in x86_64 aarch64; do | |
| gsutil cp $arch/APKINDEX.tar.gz gs://wolfi-production-registry-destination/os/$arch/APKINDEX.tar.gz || true | |
| done |