Withdraw packages #167

Workflow file for this run

.github/workflows/withdraw-packages.yaml at e707da3

	name: Withdraw packages

	on:
	workflow_dispatch:

	# Don't withdraw during builds, to prevent out of sync signatures.
	concurrency: build

	permissions:
	contents: read

	jobs:
	withdraw:
	name: Withdraw packages
	runs-on: ubuntu-latest

	permissions:
	id-token: write
	contents: read

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
	with:
	egress-policy: audit

	- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
	with:
	fetch-depth: 0 # We want the full history for uploading withdrawn-packages.txt to GCS. If this takes too long, we look at merging both files.

	# this need to point to main to always get the latest action
	- name: "Install wolfictl onto PATH"
	uses: wolfi-dev/actions/install-wolfictl@main # main

	# This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf
	- uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
	id: auth
	with:
	workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
	service_account: "[email protected]"

	- uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1
	with:
	project_id: "chainguard-github-secrets"

	- uses: 'google-github-actions/get-secretmanager-secrets@95a0b09b8348ef3d02c68c6ba5662a037e78d713' # v2.1.4
	id: secrets
	with:
	secrets: \|-
	token:chainguard-github-secrets/wolfi-dev-signing-key

	- run: echo "${{ steps.secrets.outputs.token }}" > ./wolfi-signing.rsa
	- run: \|
	sudo mkdir -p /etc/apk/keys
	sudo cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub

	# We use a different GSA for our interaction with GCS.
	- uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
	with:
	workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
	service_account: "[email protected]"

	- uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1
	with:
	project_id: "prod-images-c6e5"

	- name: Withdraw from index
	run: \|
	set -euo pipefail
	for arch in x86_64 aarch64; do
	mkdir -p $arch
	curl -v https://packages.wolfi.dev/os/$arch/APKINDEX.tar.gz 2>verbose \| wolfictl withdraw $(grep -v '\#' withdrawn-packages.txt) --signing-key="${{ github.workspace }}/wolfi-signing.rsa" > $arch/APKINDEX.tar.gz

	# Parse the object generation from the -v output.
	GEN=$(grep "x-goog-generation" verbose \| cut -d' ' -f3)
	echo "APKINDEX.tar.gz object generation for ${arch} was ${GEN}"

	# This will fail if the APKINDEX is modified between when we download it and when we upload the modified version.
	# That's totally fine, just re-run the withdrawl workflow.
	# This is a bit of a hack until we drop this APKINDEX entirely.
	gcloud storage cp --if-generation-match="${GEN}" --cache-control="no-store" $arch/APKINDEX.tar.gz gs://wolfi-production-registry-destination/os/$arch/APKINDEX.tar.gz
	done

	- name: Delete withdrawn packages
	run: \|
	set -euo pipefail
	for arch in x86_64 aarch64; do
	for pkg in $(grep -v '\#' withdrawn-packages.txt); do
	echo "=> $pkg"
	gsutil -m rm -f gs://wolfi-production-registry-destination/os/$arch/$pkg \|\| true
	done
	done

	- name: Upload full withdrawn packages list
	run: \|
	set -euxo pipefail
	git log -p -- withdrawn-packages.txt \| grep "^+" \| grep ".apk$" \| cut -c2- \| sort \| uniq > all-withdrawn-packages.txt
	gsutil cp \
	all-withdrawn-packages.txt \
	gs://wolfi-production-registry-destination/os/withdrawn-packages.txt

	- name: Delete sbom packages from the lifecycle automation
	run: \|
	set -euo pipefail
	for arch in x86_64 aarch64; do
	for pkg in $(grep -v '\#' withdrawn-packages.txt); do
	echo "=> $pkg"
	gsutil -m rm -f gs://insights-apk-sbom-prod/wolfi-production-registry-destination/os/$arch/$pkg.sbom.json \|\| true
	done
	done

	# use public chainguard provider.
	- uses: chainguard-dev/setup-chainctl@598499528905f95b94e62e4831cf42035e768933 # v0.2.3
	with:
	# Managed here:
	# https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/wolfi-os-pusher.tf
	identity: "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31"

	- name: 'Withdraw packages from apk.cgr.dev'
	run: \|
	set -e
	# Populate the token here, since chainctl auth token
	# doesn't support all of the options we need.
	chainctl auth login --audience apk.cgr.dev \
	--identity "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31"
	echo "::add-mask::$(chainctl auth token --audience apk.cgr.dev)"

	for arch in "aarch64" "x86_64"; do
	while IFS= read -r pkg; do
	curl -X DELETE \
	--user "user:$(chainctl auth token --audience apk.cgr.dev)" \
	"https://apk.cgr.dev/chainguard/${arch}/${pkg}" \|\| true
	done < <(grep -v -e '^$' -v '\#' withdrawn-packages.txt \| cut -d':' -f2) # Ignore empty lines and comments
	done

	- uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # v2.2.1
	if: failure()
	env:
	SLACK_ICON: http://github.com/chainguard-dev.png?size=48
	SLACK_USERNAME: guardian
	SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
	SLACK_CHANNEL: chainguard-images-alerts
	SLACK_COLOR: '#8E1600'
	MSG_MINIMAL: 'true'
	SLACK_TITLE: '[withdraw-packages] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}'
	SLACK_MESSAGE: \|
	https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Withdraw packages #167

Workflow file

Withdraw packages #167

Jobs

Run details

Workflow file for this run