-
Notifications
You must be signed in to change notification settings - Fork 270
147 lines (123 loc) · 6.34 KB
/
withdraw-packages.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: Withdraw packages
on:
workflow_dispatch:
# Don't withdraw during builds, to prevent out of sync signatures.
concurrency: build
permissions:
contents: read
jobs:
withdraw:
name: Withdraw packages
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0 # We want the full history for uploading withdrawn-packages.txt to GCS. If this takes too long, we look at merging both files.
# this need to point to main to always get the latest action
- name: "Install wolfictl onto PATH"
uses: wolfi-dev/actions/install-wolfictl@main # main
# This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf
- uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
id: auth
with:
workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
service_account: "[email protected]"
- uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2
with:
project_id: "chainguard-github-secrets"
- uses: 'google-github-actions/get-secretmanager-secrets@e5bb06c2ca53b244f978d33348d18317a7f263ce' # v2.2.2
id: secrets
with:
secrets: |-
token:chainguard-github-secrets/wolfi-dev-signing-key
- run: echo "${{ steps.secrets.outputs.token }}" > ./wolfi-signing.rsa
- run: |
sudo mkdir -p /etc/apk/keys
sudo cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub
# We use a different GSA for our interaction with GCS.
- uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
with:
workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
service_account: "[email protected]"
- uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2
with:
project_id: "prod-images-c6e5"
- name: Withdraw from index
run: |
set -euo pipefail
for arch in x86_64 aarch64; do
mkdir -p $arch
curl -v https://packages.wolfi.dev/os/$arch/APKINDEX.tar.gz 2>verbose | wolfictl withdraw $(grep -v '\#' withdrawn-packages.txt) --signing-key="${{ github.workspace }}/wolfi-signing.rsa" > $arch/APKINDEX.tar.gz
# Parse the object generation from the -v output.
GEN=$(grep "x-goog-generation" verbose | cut -d' ' -f3)
echo "APKINDEX.tar.gz object generation for ${arch} was ${GEN}"
# This will fail if the APKINDEX is modified between when we download it and when we upload the modified version.
# That's totally fine, just re-run the withdrawl workflow.
# This is a bit of a hack until we drop this APKINDEX entirely.
gcloud storage cp --if-generation-match="${GEN}" --cache-control="no-store" $arch/APKINDEX.tar.gz gs://wolfi-production-registry-destination/os/$arch/APKINDEX.tar.gz
done
- name: Delete withdrawn packages
run: |
set -euo pipefail
for arch in x86_64 aarch64; do
for pkg in $(grep -v '\#' withdrawn-packages.txt); do
echo "=> $pkg"
gsutil -m rm -f gs://wolfi-production-registry-destination/os/$arch/$pkg || true
done
done
- name: Upload full withdrawn packages list
run: |
set -euxo pipefail
git log -p -- withdrawn-packages.txt | grep "^+" | grep ".apk$" | cut -c2- | sort | uniq > all-withdrawn-packages.txt
gsutil cp \
all-withdrawn-packages.txt \
gs://wolfi-production-registry-destination/os/withdrawn-packages.txt
- name: Delete sbom packages from the lifecycle automation
run: |
set -euo pipefail
for arch in x86_64 aarch64; do
for pkg in $(grep -v '\#' withdrawn-packages.txt); do
echo "=> $pkg"
gsutil -m rm -f gs://insights-apk-sbom-prod/wolfi-production-registry-destination/os/$arch/$pkg.sbom.json || true
done
done
# use public chainguard provider.
- uses: chainguard-dev/setup-chainctl@8d93dcbef466d3cf3533f67084f52eb74ef9d262 # v0.2.4
with:
# Managed here:
# https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/wolfi-os-pusher.tf
identity: "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31"
- name: 'Withdraw packages from apk.cgr.dev'
run: |
set -e
# Populate the token here, since chainctl auth token
# doesn't support all of the options we need.
chainctl auth login --audience apk.cgr.dev \
--identity "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31"
echo "::add-mask::$(chainctl auth token --audience apk.cgr.dev)"
for arch in "aarch64" "x86_64"; do
while IFS= read -r pkg; do
curl -X DELETE \
--user "user:$(chainctl auth token --audience apk.cgr.dev)" \
"https://apk.cgr.dev/chainguard/${arch}/${pkg}" || true
done < <(grep -v -e '^$' -v '\#' withdrawn-packages.txt | cut -d':' -f2) # Ignore empty lines and comments
done
- uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 # v2.2.1
if: failure()
env:
SLACK_ICON: http://github.com/chainguard-dev.png?size=48
SLACK_USERNAME: guardian
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
SLACK_CHANNEL: chainguard-images-alerts
SLACK_COLOR: '#8E1600'
MSG_MINIMAL: 'true'
SLACK_TITLE: '[withdraw-packages] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}'
SLACK_MESSAGE: |
https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}