Withdraw packages #155
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Withdraw packages | |
| on: | |
| workflow_dispatch: | |
| # Don't withdraw during builds, to prevent out of sync signatures. | |
| concurrency: build | |
| permissions: | |
| contents: read | |
| jobs: | |
| withdraw: | |
| name: Withdraw packages | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| fetch-depth: 0 # We want the full history for uploading withdrawn-packages.txt to GCS. If this takes too long, we look at merging both files. | |
| # this need to point to main to always get the latest action | |
| - name: "Install wolfictl onto PATH" | |
| uses: wolfi-dev/actions/install-wolfictl@main # main | |
| # This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf | |
| - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 | |
| id: auth | |
| with: | |
| workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider" | |
| service_account: "[email protected]" | |
| - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 | |
| with: | |
| project_id: "chainguard-github-secrets" | |
| - uses: 'google-github-actions/get-secretmanager-secrets@95a0b09b8348ef3d02c68c6ba5662a037e78d713' # v2.1.4 | |
| id: secrets | |
| with: | |
| secrets: |- | |
| token:chainguard-github-secrets/wolfi-dev-signing-key | |
| - run: echo "${{ steps.secrets.outputs.token }}" > ./wolfi-signing.rsa | |
| - run: | | |
| sudo mkdir -p /etc/apk/keys | |
| sudo cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub | |
| - name: Withdraw from index | |
| run: | | |
| set -euo pipefail | |
| for arch in x86_64 aarch64; do | |
| mkdir -p $arch | |
| curl https://packages.wolfi.dev/os/$arch/APKINDEX.tar.gz | wolfictl withdraw $(grep -v '\#' withdrawn-packages.txt) --signing-key="${{ github.workspace }}/wolfi-signing.rsa" > $arch/APKINDEX.tar.gz | |
| done | |
| # We use a different GSA for our interaction with GCS. | |
| - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 | |
| with: | |
| workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" | |
| service_account: "[email protected]" | |
| - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 | |
| with: | |
| project_id: "prod-images-c6e5" | |
| - name: Delete withdrawn packages | |
| run: | | |
| set -euo pipefail | |
| for arch in x86_64 aarch64; do | |
| for pkg in $(grep -v '\#' withdrawn-packages.txt); do | |
| echo "=> $pkg" | |
| gsutil -m rm -f gs://wolfi-production-registry-destination/os/$arch/$pkg || true | |
| done | |
| done | |
| - name: Upload modified index | |
| run: | | |
| set -euxo pipefail | |
| for arch in x86_64 aarch64; do | |
| gsutil -h "Cache-Control:no-store" cp $arch/APKINDEX.tar.gz gs://wolfi-production-registry-destination/os/$arch/APKINDEX.tar.gz || true | |
| done | |
| - name: Upload full withdrawn packages list | |
| run: | | |
| set -euxo pipefail | |
| git log -p -- withdrawn-packages.txt | grep "^+" | grep ".apk$" | cut -c2- | sort | uniq > all-withdrawn-packages.txt | |
| gsutil cp \ | |
| all-withdrawn-packages.txt \ | |
| gs://wolfi-production-registry-destination/os/withdrawn-packages.txt | |
| - name: Delete sbom packages from the lifecycle automation | |
| run: | | |
| set -euo pipefail | |
| for arch in x86_64 aarch64; do | |
| for pkg in $(grep -v '\#' withdrawn-packages.txt); do | |
| echo "=> $pkg" | |
| gsutil -m rm -f gs://insights-apk-sbom-prod/wolfi-production-registry-destination/os/$arch/$pkg.sbom.json || true | |
| done | |
| done | |
| # use public chainguard provider. | |
| - uses: chainguard-dev/setup-chainctl@f52718d822dc73d21a04ef2082822c4a203163b3 # v0.2.2 | |
| with: | |
| # Managed here: | |
| # https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/wolfi-os-pusher.tf | |
| identity: "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31" | |
| - name: 'Withdraw packages from apk.cgr.dev' | |
| run: | | |
| set -e | |
| # Populate the token here, since chainctl auth token | |
| # doesn't support all of the options we need. | |
| chainctl auth login --audience apk.cgr.dev \ | |
| --identity "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31" | |
| echo "::add-mask::$(chainctl auth token --audience apk.cgr.dev)" | |
| for arch in "aarch64" "x86_64"; do | |
| while IFS= read -r pkg; do | |
| curl -X DELETE \ | |
| --user "user:$(chainctl auth token --audience apk.cgr.dev)" \ | |
| "https://apk.cgr.dev/chainguard/${arch}/${pkg}" || true | |
| done < <(grep -v -e '^$' -v '\#' withdrawn-packages.txt | cut -d':' -f2) # Ignore empty lines and comments | |
| done | |
| - uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # v2.2.1 | |
| if: failure() | |
| env: | |
| SLACK_ICON: http://github.com/chainguard-dev.png?size=48 | |
| SLACK_USERNAME: guardian | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
| SLACK_CHANNEL: chainguard-images-alerts | |
| SLACK_COLOR: '#8E1600' | |
| MSG_MINIMAL: 'true' | |
| SLACK_TITLE: '[withdraw-packages] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}' | |
| SLACK_MESSAGE: | | |
| https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} |