Skip to content

Withdraw packages

Withdraw packages #113

name: Withdraw packages
on:
workflow_dispatch:
# Don't withdraw during builds, to prevent out of sync signatures.
concurrency: build
jobs:
withdraw:
name: Withdraw packages
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0 # We want the full history for uploading withdrawn-packages.txt to GCS. If this takes too long, we look at merging both files.
- name: "Install wolfictl onto PATH"
uses: wolfi-dev/actions/install-wolfictl@main
# This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf
- uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1
id: auth
with:
workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
service_account: "[email protected]"
- uses: google-github-actions/setup-gcloud@5a5f7b85fca43e76e53463acaa9d408a03c98d3a # v2.0.1
with:
project_id: "chainguard-github-secrets"
- uses: 'google-github-actions/get-secretmanager-secrets@ae0d4054c32840e2ced71207a9df55161ae3debc' # v2.0.0
id: secrets
with:
secrets: |-
token:chainguard-github-secrets/wolfi-dev-signing-key
- run: echo "${{ steps.secrets.outputs.token }}" > ./wolfi-signing.rsa
- run: |
sudo mkdir -p /etc/apk/keys
sudo cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub
- name: Withdraw from index
run: |
set -euo pipefail
for arch in x86_64 aarch64; do
mkdir -p $arch
curl https://packages.wolfi.dev/os/$arch/APKINDEX.tar.gz | wolfictl withdraw $(grep -v '\#' withdrawn-packages.txt) --signing-key="${{ github.workspace }}/wolfi-signing.rsa" > $arch/APKINDEX.tar.gz
done
# We use a different GSA for our interaction with GCS.
- uses: google-github-actions/auth@f6de81663f7788d05bd15bcce18f0e57f23f0846 # v2.0.1
with:
workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
service_account: "[email protected]"
- uses: google-github-actions/setup-gcloud@5a5f7b85fca43e76e53463acaa9d408a03c98d3a # v2.0.1
with:
project_id: "prod-images-c6e5"
- name: Delete withdrawn packages
run: |
set -euo pipefail
for arch in x86_64 aarch64; do
for pkg in $(grep -v '\#' withdrawn-packages.txt); do
echo "=> $pkg"
gsutil -m rm -f gs://wolfi-production-registry-destination/os/$arch/$pkg || true
done
done
- name: Upload modified index
run: |
set -euxo pipefail
for arch in x86_64 aarch64; do
gsutil -h "Cache-Control:no-store" cp $arch/APKINDEX.tar.gz gs://wolfi-production-registry-destination/os/$arch/APKINDEX.tar.gz || true
done
- name: Upload full withdrawn packages list
run: |
set -euxo pipefail
git log -p -- withdrawn-packages.txt | grep "^+" | grep ".apk$" | cut -c2- | sort | uniq > all-withdrawn-packages.txt
gsutil cp \
all-withdrawn-packages.txt \
gs://wolfi-production-registry-destination/os/withdrawn-packages.txt
- uses: rtCamp/[email protected]
if: failure()
env:
SLACK_ICON: http://github.com/chainguard-dev.png?size=48
SLACK_USERNAME: guardian
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
SLACK_CHANNEL: chainguard-images-alerts
SLACK_COLOR: '#8E1600'
MSG_MINIMAL: 'true'
SLACK_TITLE: '[withdraw-packages] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}'
SLACK_MESSAGE: |
https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}