diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f8db4694128..37a3073fb07 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -351,92 +351,92 @@ jobs: "./packages/${arch}/APKINDEX.json" "gs://wolfi-production-registry-destination/os/${arch}/" done - upload-packages-to-cgr: - runs-on: ubuntu-latest - needs: build - - # Always run this job for https://github.com/wolfi-dev/os/issues/8698 - if: ${{ always() }} - - permissions: - id-token: write - contents: read - - steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - - name: 'Download x86_64 package archives' - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: /tmp/artifacts/ - name: packages-x86_64 - - - name: 'Download aarch64 package archives' - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: /tmp/artifacts/ - name: packages-aarch64 - - - name: 'Unpack the package archives' - run: | - for arch in "aarch64" "x86_64"; do - mkdir -p ./packages/${arch} - - # Consolidate with the built artifacts - tar xvf /tmp/artifacts/packages-${arch}.tar.gz - done - - # use public chainguard provider. - - uses: chainguard-dev/setup-chainctl@fc62b08dfd3179dd694b50f672bc371f878fbd1e # v0.2.1 - with: - # Managed here: - # https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/wolfi-os-pusher.tf - identity: "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31" - - - name: 'Upload packages to apk.cgr.dev' - run: | - set -ex - # Populate the token here, since chainctl auth token - # doesn't support all of the options we need. - chainctl auth login --audience apk.cgr.dev \ - --identity "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31" - tok=$(chainctl auth token --audience apk.cgr.dev) - echo "::add-mask::${tok}" - - for arch in "aarch64" "x86_64"; do - # Only attempt to upload when *.apk's exist - apks=$(ls ./packages/${arch}/*.apk 2>/dev/null || true) - if [ -n "$apks" ]; then - for apk in ${apks}; do - package="$(basename ${apk})" - - # Check if package already exists in apk.cgr.dev - code=$(curl -s -o /dev/null --head -w "%{http_code}" --user "user:${tok}" "https://apk.cgr.dev/chainguard/${arch}/${package}") - if [ $code == "303" ]; then - echo "Package already exists: ${package}" - continue - elif [ $code != "404" ]; then - echo "Unexpected response code: $code" - exit 1 - fi - - curl --fail -X POST \ - --user "user:${tok}" \ - --data-binary "@${apk}" \ - "https://apk.cgr.dev/chainguard/${arch}/${package}" - done - fi - done + # upload-packages-to-cgr: + # runs-on: ubuntu-latest + # needs: build + + # # Always run this job for https://github.com/wolfi-dev/os/issues/8698 + # if: ${{ always() }} + + # permissions: + # id-token: write + # contents: read + + # steps: + # - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + # with: + # egress-policy: audit + + # - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + # - name: 'Trust the github workspace' + # run: | + # # This is to avoid fatal errors about "dubious ownership" because we are + # # running inside of a container action with the workspace mounted in. + # git config --global --add safe.directory "$(pwd)" + + # - name: 'Download x86_64 package archives' + # uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + # with: + # path: /tmp/artifacts/ + # name: packages-x86_64 + + # - name: 'Download aarch64 package archives' + # uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + # with: + # path: /tmp/artifacts/ + # name: packages-aarch64 + + # - name: 'Unpack the package archives' + # run: | + # for arch in "aarch64" "x86_64"; do + # mkdir -p ./packages/${arch} + + # # Consolidate with the built artifacts + # tar xvf /tmp/artifacts/packages-${arch}.tar.gz + # done + + # # use public chainguard provider. + # - uses: chainguard-dev/setup-chainctl@fc62b08dfd3179dd694b50f672bc371f878fbd1e # v0.2.1 + # with: + # # Managed here: + # # https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/wolfi-os-pusher.tf + # identity: "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31" + + # - name: 'Upload packages to apk.cgr.dev' + # run: | + # set -ex + # # Populate the token here, since chainctl auth token + # # doesn't support all of the options we need. + # chainctl auth login --audience apk.cgr.dev \ + # --identity "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31" + # tok=$(chainctl auth token --audience apk.cgr.dev) + # echo "::add-mask::${tok}" + + # for arch in "aarch64" "x86_64"; do + # # Only attempt to upload when *.apk's exist + # apks=$(ls ./packages/${arch}/*.apk 2>/dev/null || true) + # if [ -n "$apks" ]; then + # for apk in ${apks}; do + # package="$(basename ${apk})" + + # # Check if package already exists in apk.cgr.dev + # code=$(curl -s -o /dev/null --head -w "%{http_code}" --user "user:${tok}" "https://apk.cgr.dev/chainguard/${arch}/${package}") + # if [ $code == "303" ]; then + # echo "Package already exists: ${package}" + # continue + # elif [ $code != "404" ]; then + # echo "Unexpected response code: $code" + # exit 1 + # fi + + # curl --fail -X POST \ + # --user "user:${tok}" \ + # --data-binary "@${apk}" \ + # "https://apk.cgr.dev/chainguard/${arch}/${package}" + # done + # fi + # done postrun: name: Notify Slack