-
Notifications
You must be signed in to change notification settings - Fork 282
73 lines (60 loc) · 2.72 KB
/
withdraw-packages.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Withdraw packages
on:
workflow_dispatch:
# Don't withdraw during builds, to prevent out of sync signatures.
concurrency: build
jobs:
build:
name: Withdraw packages
runs-on: ubuntu-16-core
permissions:
id-token: write
packages: write
contents: read
steps:
# In some cases, we runs out of disk space during tests, so this hack frees up approx 10G.
# See the following issue for more info: https://github.com/actions/runner-images/issues/2840#issuecomment-1284059930
- name: Free up runner disk space
shell: bash
run: |
set -x
sudo rm -rf /usr/share/dotnet
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
- uses: actions/checkout@v4
- uses: chainguard-dev/actions/setup-melange@main
- id: auth
name: 'Authenticate to Google Cloud'
uses: google-github-actions/auth@v0
with:
workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
service_account: "[email protected]"
- uses: google-github-actions/setup-gcloud@v0
with:
project_id: prod-images-c6e5
- run: echo "${{ secrets.MELANGE_RSA }}" > ./wolfi-signing.rsa
- run: |
sudo mkdir -p /etc/apk/keys
sudo cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub
- name: 'Delete withdrawn packages'
run: |
for arch in x86_64 aarch64; do
for pkg in $(grep -v '\#' withdrawn-packages.txt); do
echo "=> $pkg"
gsutil -m rm -f gs://wolfi-production-registry-destination/os/$arch/$pkg || true
done
done
- name: 'Sync public package repository'
run: |
mkdir "${{ github.workspace }}/packages"
gsutil -m rsync -r gs://wolfi-production-registry-destination/os/ "${{ github.workspace }}/packages/"
find "${{ github.workspace }}/packages" -print -exec touch \{} \;
- name: 'Reconcile Wolfi index'
run: |
for arch in x86_64 aarch64; do
pushd "${{ github.workspace }}/packages/"$arch
melange index -o APKINDEX.tar.gz -a $arch *.apk
melange sign-index --signing-key="${{ github.workspace }}/wolfi-signing.rsa" APKINDEX.tar.gz
gsutil -h "Cache-Control:no-store" cp "${{ github.workspace }}/packages/${arch}/APKINDEX.tar.gz" gs://wolfi-production-registry-destination/os/${arch}/APKINDEX.tar.gz
gsutil -h "Cache-Control:no-store" cp "${{ github.workspace }}/packages/${arch}/APKINDEX.json" gs://wolfi-production-registry-destination/os/${arch}/APKINDEX.json
popd
done