Skip to content

Withdraw packages

Withdraw packages #169

name: Withdraw packages
on:
workflow_dispatch:
# Don't withdraw during builds, to prevent out of sync signatures.
concurrency: build
permissions:
contents: read
jobs:
withdraw:
name: Withdraw packages
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
fetch-depth: 0 # We want the full history for uploading withdrawn-packages.txt to GCS. If this takes too long, we look at merging both files.
# this need to point to main to always get the latest action
- name: "Install wolfictl onto PATH"
uses: wolfi-dev/actions/install-wolfictl@main # main
# This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf
- uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
id: auth
with:
workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
service_account: "wolfi-dev@chainguard-github-secrets.iam.gserviceaccount.com"
- uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1
with:
project_id: "chainguard-github-secrets"
- uses: 'google-github-actions/get-secretmanager-secrets@95a0b09b8348ef3d02c68c6ba5662a037e78d713' # v2.1.4
id: secrets
with:
secrets: |-
token:chainguard-github-secrets/wolfi-dev-signing-key
- run: echo "${{ steps.secrets.outputs.token }}" > ./wolfi-signing.rsa
- run: |
sudo mkdir -p /etc/apk/keys
sudo cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub
# We use a different GSA for our interaction with GCS.
- uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
with:
workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com"
- uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1
with:
project_id: "prod-images-c6e5"
- name: Withdraw from index
run: |
set -euo pipefail
for arch in x86_64 aarch64; do
mkdir -p $arch
curl -v https://packages.wolfi.dev/os/$arch/APKINDEX.tar.gz 2>verbose | wolfictl withdraw $(grep -v '\#' withdrawn-packages.txt) --signing-key="${{ github.workspace }}/wolfi-signing.rsa" > $arch/APKINDEX.tar.gz
# Parse the object generation from the -v output.
GEN=$(grep "x-goog-generation" verbose | cut -d' ' -f3)
echo "APKINDEX.tar.gz object generation for ${arch} was ${GEN}"
# This will fail if the APKINDEX is modified between when we download it and when we upload the modified version.
# That's totally fine, just re-run the withdrawl workflow.
# This is a bit of a hack until we drop this APKINDEX entirely.
gcloud storage cp --if-generation-match="${GEN}" --cache-control="no-store" $arch/APKINDEX.tar.gz gs://wolfi-production-registry-destination/os/$arch/APKINDEX.tar.gz
done
- name: Delete withdrawn packages
run: |
set -euo pipefail
for arch in x86_64 aarch64; do
for pkg in $(grep -v '\#' withdrawn-packages.txt); do
echo "=> $pkg"
gsutil -m rm -f gs://wolfi-production-registry-destination/os/$arch/$pkg || true
done
done
- name: Upload full withdrawn packages list
run: |
set -euxo pipefail
git log -p -- withdrawn-packages.txt | grep "^+" | grep ".apk$" | cut -c2- | sort | uniq > all-withdrawn-packages.txt
gsutil cp \
all-withdrawn-packages.txt \
gs://wolfi-production-registry-destination/os/withdrawn-packages.txt
- name: Delete sbom packages from the lifecycle automation
run: |
set -euo pipefail
for arch in x86_64 aarch64; do
for pkg in $(grep -v '\#' withdrawn-packages.txt); do
echo "=> $pkg"
gsutil -m rm -f gs://insights-apk-sbom-prod/wolfi-production-registry-destination/os/$arch/$pkg.sbom.json || true
done
done
# use public chainguard provider.
- uses: chainguard-dev/setup-chainctl@598499528905f95b94e62e4831cf42035e768933 # v0.2.3
with:
# Managed here:
# https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/wolfi-os-pusher.tf
identity: "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31"
- name: 'Withdraw packages from apk.cgr.dev'
run: |
set -e
# Populate the token here, since chainctl auth token
# doesn't support all of the options we need.
chainctl auth login --audience apk.cgr.dev \
--identity "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31"
echo "::add-mask::$(chainctl auth token --audience apk.cgr.dev)"
for arch in "aarch64" "x86_64"; do
while IFS= read -r pkg; do
curl -X DELETE \
--user "user:$(chainctl auth token --audience apk.cgr.dev)" \
"https://apk.cgr.dev/chainguard/${arch}/${pkg}" || true
done < <(grep -v -e '^$' -v '\#' withdrawn-packages.txt | cut -d':' -f2) # Ignore empty lines and comments
done
- uses: rtCamp/action-slack-notify@65e6fc1ce697e2df8149d9ae9909acc5ec5599ce # v2.2.1
if: failure()
env:
SLACK_ICON: http://github.com/chainguard-dev.png?size=48
SLACK_USERNAME: guardian
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
SLACK_CHANNEL: chainguard-images-alerts
SLACK_COLOR: '#8E1600'
MSG_MINIMAL: 'true'
SLACK_TITLE: '[withdraw-packages] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}'
SLACK_MESSAGE: |
https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}