.github/workflows/withdraw-packages.yaml

name: Withdraw packages

on:
  workflow_dispatch:

# Don't withdraw during builds, to prevent out of sync signatures.
concurrency: build

permissions:
  contents: read

jobs:
  withdraw:
    name: Withdraw packages
    runs-on: ubuntu-latest

    permissions:
      id-token: write
      contents: read

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
        with:
          egress-policy: audit

      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0 # We want the full history for uploading withdrawn-packages.txt to GCS. If this takes too long, we look at merging both files.

      # this need to point to main to always get the latest action
      - name: "Install wolfictl onto PATH"
        uses: wolfi-dev/actions/install-wolfictl@main # main

      # This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf
      - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
        id: auth
        with:
          workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
          service_account: "wolfi-dev@chainguard-github-secrets.iam.gserviceaccount.com"

      - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
        with:
          project_id: "chainguard-github-secrets"

      - uses: 'google-github-actions/get-secretmanager-secrets@dc4a1392bad0fd60aee00bb2097e30ef07a1caae' # v2.1.3
        id: secrets
        with:
          secrets: |-
            token:chainguard-github-secrets/wolfi-dev-signing-key

      - run: echo "${{ steps.secrets.outputs.token }}" > ./wolfi-signing.rsa
      - run: |
          sudo mkdir -p /etc/apk/keys
          sudo cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub

      - name: Withdraw from index
        run: |
          set -euo pipefail
          for arch in x86_64 aarch64; do
            mkdir -p $arch
            curl https://packages.wolfi.dev/os/$arch/APKINDEX.tar.gz | wolfictl withdraw $(grep -v '\#' withdrawn-packages.txt) --signing-key="${{ github.workspace }}/wolfi-signing.rsa" > $arch/APKINDEX.tar.gz
          done

      # We use a different GSA for our interaction with GCS.
      - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
        with:
          workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
          service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com"

      - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
        with:
          project_id: "prod-images-c6e5"

      - name: Delete withdrawn packages
        run: |
          set -euo pipefail
          for arch in x86_64 aarch64; do
            for pkg in $(grep -v '\#' withdrawn-packages.txt); do
              echo "=> $pkg"
              gsutil -m rm -f gs://wolfi-production-registry-destination/os/$arch/$pkg || true
            done
          done

      - name: Upload modified index
        run: |
          set -euxo pipefail
          for arch in x86_64 aarch64; do
            gsutil -h "Cache-Control:no-store" cp $arch/APKINDEX.tar.gz gs://wolfi-production-registry-destination/os/$arch/APKINDEX.tar.gz || true
          done

      - name: Upload full withdrawn packages list
        run: |
          set -euxo pipefail
          git log -p -- withdrawn-packages.txt | grep "^+" | grep ".apk$" | cut -c2- | sort | uniq > all-withdrawn-packages.txt
          gsutil cp \
            all-withdrawn-packages.txt \
            gs://wolfi-production-registry-destination/os/withdrawn-packages.txt

      - name: Delete sbom packages from the lifecycle automation
        run: |
          set -euo pipefail
          for arch in x86_64 aarch64; do
            for pkg in $(grep -v '\#' withdrawn-packages.txt); do
              echo "=> $pkg"
              gsutil -m rm -f gs://insights-apk-sbom-prod/wolfi-production-registry-destination/os/$arch/$pkg.sbom.json || true
            done
          done

      - uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # v2.2.1
        if: failure()
        env:
          SLACK_ICON: http://github.com/chainguard-dev.png?size=48
          SLACK_USERNAME: guardian
          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
          SLACK_CHANNEL: chainguard-images-alerts
          SLACK_COLOR: '#8E1600'
          MSG_MINIMAL: 'true'
          SLACK_TITLE: '[withdraw-packages] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}'
          SLACK_MESSAGE: |
            https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}