diff --git a/.github/workflows/presubmit-signed-images-are-signed.yml b/.github/workflows/presubmit-signed-images-are-signed.yml deleted file mode 100644 index 91194ef..0000000 --- a/.github/workflows/presubmit-signed-images-are-signed.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: presubmit signed images are signed -on: - pull_request: {} - workflow_dispatch: {} -jobs: - presubmit-signed-images-are-signed: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 - - uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main - - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - - name: check signed images are signed as expected - run: | - yq -r e '.sync[] | select(.sourceSignature != null) | .source + " " + .sourceSignature.issuerRegExp + " " + .sourceSignature.subjectRegExp' -o json < ./config.yaml \ - | xargs -n 1 -l bash -c 'cosign verify -o text --certificate-identity-regexp "$2" --certificate-oidc-issuer-regexp "$1" "$0"' diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml index cb47130..c553961 100644 --- a/.github/workflows/sync.yml +++ b/.github/workflows/sync.yml @@ -4,6 +4,7 @@ name: sync on: + pull_request: {} push: branches: - main @@ -19,128 +20,110 @@ concurrency: group: ${{ github.run_id }} cancel-in-progress: false jobs: - prepare: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set.outputs.matrix }} - steps: - - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 - - id: set - run: | - echo "matrix=$(jq '.sync | {"include":.}' -r -c <<< "$(yq e . -o json config.yaml)")" >> $GITHUB_OUTPUT - - name: check output - run: | - jq . <<< '${{ steps.set.outputs.matrix }}' sync: - if: ${{ fromJSON(needs.prepare.outputs.matrix) != null }} - needs: prepare - runs-on: ubuntu-latest - outputs: - source: ${{ steps.get-digests.outputs.source }} - destination: ${{ steps.get-digests.outputs.destination }} - strategy: - fail-fast: false - matrix: ${{ fromJSON(needs.prepare.outputs.matrix) }} + env: + ECR: 862640294325.dkr.ecr.ap-southeast-2.amazonaws.com + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - - id: determine-uses-ecr - env: - DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} - run: | - if echo "$DESTINATION" | grep -q -E '[0-9]{12}.dkr.ecr.ap-southeast-2.amazonaws.com/.*'; then - echo "ecr="$(echo "$DESTINATION" | cut -d'/' -f1)"" >> $GITHUB_OUTPUT - fi - name: Configure AWS Credentials - if: ${{ steps.determine-uses-ecr.outputs.ecr != '' }} uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v2.0.0 with: aws-region: ap-southeast-2 role-to-assume: arn:aws:iam::862640294325:role/github-actions-geonet-ecr-push role-duration-seconds: 3600 role-session-name: github-actions-GeoNet--base-images + if: github.ref_name == 'main' - name: login to ECR - if: ${{ steps.determine-uses-ecr.outputs.ecr != '' }} - env: - ECR: ${{ steps.determine-uses-ecr.outputs.ecr }} - run: | - aws ecr get-login-password --region ap-southeast-2 | crane auth login "$ECR" -u AWS --password-stdin - - name: get-digests - if: ${{ fromJSON(toJSON(matrix)).always != true }} - id: get-digests - env: - SOURCE: ${{ fromJSON(toJSON(matrix)).source }} - DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} - run: | - SOURCE_DIGEST="$(crane digest "${SOURCE}" || true)" - DESTINATION_DIGEST="$(crane digest "${DESTINATION}" || true)" - ( - echo "SOURCE-DIGEST DESTINATION-DIGEST" - echo "${SOURCE_DIGEST} ${DESTINATION_DIGEST}" - ) | column -t - echo "source=${SOURCE_DIGEST}" >> $GITHUB_OUTPUT - echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT - - name: verify-signature - if: ${{ (steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true) && fromJSON(toJSON(matrix)).sourceSignature != null }} - env: - SOURCE: ${{ fromJSON(toJSON(matrix)).source }} - SUBJECT: ${{ fromJSON(toJSON(matrix)).sourceSignature.subjectRegExp }} - ISSUER: ${{ fromJSON(toJSON(matrix)).sourceSignature.issuerRegExp }} - run: | - cosign verify -o text --certificate-identity-regexp "$SUBJECT" --certificate-oidc-issuer-regexp "$ISSUER" "$SOURCE" - - name: copy - if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true }} - env: - SOURCE: ${{ fromJSON(toJSON(matrix)).source }} - DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} - run: | - crane cp $SOURCE $DESTINATION - - name: add source labels - if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true }} - env: - DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} run: | - LABELS=( - org.opencontainers.image.revision=${{ github.sha }} - org.opencontainers.image.source=${{ github.repositoryUrl }} - ) - for LABEL in "${LABELS[@]}"; do - crane mutate $DESTINATION --label "${LABEL}" - done - - name: get-synced-digests - id: get-synced-digests + aws ecr get-login-password --region ap-southeast-2 | skopeo login "$ECR" -u AWS --password-stdin + if: github.ref_name == 'main' + # - name: get-digests + # if: ${{ fromJSON(toJSON(matrix)).always != true }} + # id: get-digests + # env: + # SOURCE: ${{ fromJSON(toJSON(matrix)).source }} + # DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} + # run: | + # SOURCE_DIGEST="$(crane digest "${SOURCE}" || true)" + # DESTINATION_DIGEST="$(crane digest "${DESTINATION}" || true)" + # ( + # echo "SOURCE-DIGEST DESTINATION-DIGEST" + # echo "${SOURCE_DIGEST} ${DESTINATION_DIGEST}" + # ) | column -t + # echo "source=${SOURCE_DIGEST}" >> $GITHUB_OUTPUT + # echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT + # - name: verify-signature + # if: ${{ (steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true) && fromJSON(toJSON(matrix)).sourceSignature != null }} + # env: + # SOURCE: ${{ fromJSON(toJSON(matrix)).source }} + # SUBJECT: ${{ fromJSON(toJSON(matrix)).sourceSignature.subjectRegExp }} + # ISSUER: ${{ fromJSON(toJSON(matrix)).sourceSignature.issuerRegExp }} + # run: | + # cosign verify -o text --certificate-identity-regexp "$SUBJECT" --certificate-oidc-issuer-regexp "$ISSUER" "$SOURCE" + - name: dry run copy to ghcr.io env: - DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} - run: | - DESTINATION_DIGEST="$(crane digest "${DESTINATION}" || true)" - ( - echo "${SOURCE_DIGEST} ${DESTINATION_DIGEST}" - ) | column -t - HAS_SIGNATURES="$(cosign tree ${DESTINATION}@${DESTINATION_DIGEST} 2>&1 | grep -q 'Signatures for an image tag' && echo true || echo false)" - echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT - echo "has-signatures=${HAS_SIGNATURES}" >> $GITHUB_OUTPUT - - name: Clean signatures - if: ${{ fromJSON(toJSON(matrix)).always == true }} + GH_TOKEN: ${{ secrets.GH_CI_USER_TOKEN }} + run: | - cosign clean -f ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} - - name: Sign image with a key - if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }} + skopeo sync --dry-run --all --src yaml --dest docker sync-ghcr.yml ghcr.io/geonet/base-images + - name: copy to ghcr.io env: - COSIGN_EXPERIMENTAL: "true" - COSIGN_YES: "true" + GH_TOKEN: ${{ secrets.GH_CI_USER_TOKEN }} run: | - cosign sign ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} -y - - uses: anchore/sbom-action@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8 - if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }} - with: - image: ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} - artifact-name: sbom-spdx.json - output-file: /tmp/sbom-spdx.json - - name: publish sbom blob as blob - if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }} - env: - COSIGN_YES: "true" + skopeo sync --all --src yaml --dest docker sync-ghcr.yml ghcr.io/geonet/base-images + if: github.ref_name == 'main' + - name: copy to ecr run: | - cosign attest --predicate /tmp/sbom-spdx.json ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} -y + skopeo sync --all --src yaml --dest docker sync-ecr.yml ${{ env.ecr }} + if: github.ref_name == 'main' + + # - name: add source labels + # if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true }} + # env: + # DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} + # run: | + # LABELS=( + # org.opencontainers.image.revision=${{ github.sha }} + # org.opencontainers.image.source=${{ github.repositoryUrl }} + # ) + # for LABEL in "${LABELS[@]}"; do + # crane mutate $DESTINATION --label "${LABEL}" + # done + # - name: get-synced-digests + # id: get-synced-digests + # env: + # DESTINATION: ${{ fromJSON(toJSON(matrix)).destination }} + # run: | + # DESTINATION_DIGEST="$(crane digest "${DESTINATION}" || true)" + # ( + # echo "${SOURCE_DIGEST} ${DESTINATION_DIGEST}" + # ) | column -t + # HAS_SIGNATURES="$(cosign tree ${DESTINATION}@${DESTINATION_DIGEST} 2>&1 | grep -q 'Signatures for an image tag' && echo true || echo false)" + # echo "destination=${DESTINATION_DIGEST}" >> $GITHUB_OUTPUT + # echo "has-signatures=${HAS_SIGNATURES}" >> $GITHUB_OUTPUT + # - name: Clean signatures + # if: ${{ fromJSON(toJSON(matrix)).always == true }} + # run: | + # cosign clean -f ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} + # - name: Sign image with a key + # if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }} + # env: + # COSIGN_EXPERIMENTAL: "true" + # COSIGN_YES: "true" + # run: | + # cosign sign ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} -y + # - uses: anchore/sbom-action@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8 + # if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }} + # with: + # image: ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} + # artifact-name: sbom-spdx.json + # output-file: /tmp/sbom-spdx.json + # - name: publish sbom blob as blob + # if: ${{ steps.get-digests.outputs.source != steps.get-digests.outputs.destination || steps.get-digests.outputs.destination == null || fromJSON(toJSON(matrix)).always == true || steps.get-synced-digests.outputs.has-signatures != 'true' }} + # env: + # COSIGN_YES: "true" + # run: | + # cosign attest --predicate /tmp/sbom-spdx.json ${{ fromJSON(toJSON(matrix)).destination }}@${{ steps.get-synced-digests.outputs.destination }} -y diff --git a/.github/workflows/update-image-digests.yml b/.github/workflows/update-image-digests.yml deleted file mode 100644 index b26dafe..0000000 --- a/.github/workflows/update-image-digests.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: update image digests -on: - schedule: - - cron: 0 1 * * * - workflow_dispatch: {} -permissions: - contents: write - pull-requests: write - issues: write - checks: write -jobs: - update-image-digests: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 - - uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main - - name: configure system - run: | - git config user.name 'geonetci' - git config user.email 'geonetci@gns.cri.nz' - gh auth login --with-token < <(echo ${{ secrets.GH_CI_USER_TOKEN }}) - gh auth status - - name: update select images - run: ./hack/update-sync-image-digests.sh - - name: determine changes - id: determine-changes - run: | - if git ls-files --others --modified --deleted --exclude-standard | grep -E 'config.yaml'; then - echo "changes=true" >> $GITHUB_OUTPUT - fi - - name: commit and push if there are changes - if: ${{ steps.determine-changes.outputs.changes == 'true' }} - env: - GH_TOKEN: ${{ secrets.GH_CI_USER_TOKEN }} - run: | - TIMESTAMP="$(git log -n1 --pretty='format:%cd' --date=format:'%Y-%m-%d-%H-%M')" - NEW_BRANCH="config-yaml-image-update-for-${TIMESTAMP}" - git add ./config.yaml - git branch "${NEW_BRANCH}" - git checkout "${NEW_BRANCH}" - git commit -s -m "fix: update sync config.yaml images for ${TIMESTAMP}" -m "updates sync config.yaml images for ${TIMESTAMP} from fedora" - git push origin "${NEW_BRANCH}" - diff --git a/config.yaml b/config.yaml index 6868343..9d0d715 100644 --- a/config.yaml +++ b/config.yaml @@ -1,116 +1,3 @@ -sync: - # NOTES - # - use an image with digest for the source (use `crane digest IMAGE_REF` to find it); ensuring the exact image is used and the tag can't be swapped underneath - # NOTE use the following command to check if each image resolves - # yq e .sync[].source ./config.yaml | xargs -n 1 -I{} sh -c 'printf "{} => "; crane digest {}' - # NOTE find architectures of destination images - # < config.yaml yq e '.sync[].destination' | xargs -I{} sh -c 'printf "{} " && crane manifest {} | jq -e ".manifests | length | . > 1" && crane manifest {} | jq .manifests[].platform.architecture | xargs' - # NOTE use the following command to check each image for supply chain security related artifacts - # yq e .sync[].source < ./config.yaml | xargs -n 1 -I{} -P 1000 cosign tree {} - # NOTE use the following command to determine how an image was signed - # cosign verify -o text --certificate-identity-regexp '.*' --certificate-oidc-issuer-regexp '.*' IMAGE - # NOTE use the following command to verify all signed images - # yq -r e '.sync[] | select(.sourceSignature != null) | .source + " " + .sourceSignature.issuerRegExp + " " + .sourceSignature.subjectRegExp' -o json < ./config.yaml \ - # | xargs -n 1 -l bash -c 'cosign verify -o text --certificate-identity-regexp "$2" --certificate-oidc-issuer-regexp "$1" "$0"' - - source: docker.io/library/alpine:3.18@sha256:02bb6f428431fbc2809c5d1b41eab5a68350194fb508869a33cb1af4444c9b11 - destination: ghcr.io/geonet/base-images/alpine:3.18 # latest alpine - - source: docker.io/redhat/ubi8:8.9@sha256:e5d89fb9c9b6592d0d5e576c53021598cde831b20213207ecd896049c4b21c08 - destination: ghcr.io/geonet/base-images/ubi8:8.9 - - source: docker.io/redhat/ubi8-minimal:8.9@sha256:f28a083503f91d97fd3ac2ec24d67c0fa705c086c4c01f31c33567ebab1dfcb8 - destination: ghcr.io/geonet/base-images/ubi8-minimal:8.9 - - source: docker.io/datadog/agent:7.51.0@sha256:fa2e2347bb66513515074e825ff749f950ab6051f61b889ba3734f328bf86ec6 - destination: ghcr.io/geonet/base-images/datadog/agent:7.51.0 - - source: docker.io/almalinux:8.9@sha256:286bebaacc46c498394238b7a27b99192f829fd94460b67f8de2cc23696935de - destination: ghcr.io/geonet/base-images/almalinux:8.9 - - source: docker.io/datadog/agent:7.51.0@sha256:fa2e2347bb66513515074e825ff749f950ab6051f61b889ba3734f328bf86ec6 - destination: 862640294325.dkr.ecr.ap-southeast-2.amazonaws.com/datadog-agent:7.51.0 - - source: docker.io/library/debian:bookworm-slim@sha256:d8f9d38c21495b04d1cca99805fbb383856e19794265684019bf193c3b7d67f9 - destination: ghcr.io/geonet/base-images/debian:bookworm-slim - - source: docker.io/hadolint/hadolint:v2.12.0-alpine@sha256:3c206a451cec6d486367e758645269fd7d696c5ccb6ff59d8b03b0e45268a199 - destination: ghcr.io/geonet/base-images/hadolint/hadolint:v2.12.0-alpine - - source: docker.io/library/node:16.17.1-alpine@sha256:4d68856f48be7c73cd83ba8af3b6bae98f4679e14d1ff49e164625ae8831533a # older node - destination: ghcr.io/geonet/base-images/node:16.17.1-alpine - - source: docker.io/library/node:20.3-alpine3.18@sha256:30d5045fa5026abaed7439b62d51f73ac3efd1009496271d4c85fd83bb20144e # latest node - destination: ghcr.io/geonet/base-images/node:20.3-alpine3.18 - - source: docker.io/library/python:3.11.4-bullseye@sha256:e76a365d3f3b37ad4cf4bae474a063883461b01e07e2f51cd7d9597fd455ee38 - destination: ghcr.io/geonet/base-images/python:3.11.4-bullseye - - source: docker.io/library/python:3.12.2-bullseye@sha256:632aa502e9478bac490956b49b0184c300b0448f74bd7cb3245467f4af90cdd3 - destination: ghcr.io/geonet/base-images/python:3.12.2-bullseye - - source: docker.io/library/python:3.12.2-alpine3.19@sha256:849ed6079c9f797ca9c1b7d6aea1c00aea3ac35110cbd0d6003f15950017ea8d - destination: ghcr.io/geonet/base-images/python:3.12.2-alpine3.19 - - source: docker.io/library/python:3.11.9-alpine3.19@sha256:0b5ed25d3cc27cd35c7b0352bac8ef2ebc8dd3da72a0c03caaf4eb15d9ec827a - destination: ghcr.io/geonet/base-images/python:3.11.9-alpine3.19 - - source: docker.io/library/python:3.11.4-alpine3.18@sha256:995c7fcdf9a10e0e1a4555861dac63436b456822a167f07b6599d4f105de6fa0 - destination: ghcr.io/geonet/base-images/python:3.11.4-alpine3.18 - - source: docker.io/golang:1.21.12-alpine3.20@sha256:0826be3be3801e1391605a54951645bb28aca6f6c58e0baea0222decd3e35bac - destination: ghcr.io/geonet/base-images/go:1.21.12 - - source: docker.io/vmware/govc:v0.37.0@sha256:cb81de51e4255a6fb980c33b7b1e04832f2640b9010d51720e223f580efc4949 - destination: ghcr.io/geonet/base-images/govc:v0.37.0 - - source: cgr.dev/chainguard/static:latest@sha256:da9822ad6f973e40e24e75133b08ae874900766873ecd03e58f7f630ccea898c - sourceSignature: - issuerRegExp: https://token.actions.githubusercontent.com - subjectRegExp: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main - destination: ghcr.io/geonet/base-images/static:latest - - source: cgr.dev/chainguard/nginx:latest@sha256:f705448eb5a9939454a5bfe1a2b6a8afe4da18d8f7191ef62b883200baa46054 - sourceSignature: - issuerRegExp: https://token.actions.githubusercontent.com - subjectRegExp: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main - destination: ghcr.io/geonet/base-images/nginx:latest - - source: cgr.dev/chainguard/node:20@sha256:38dc35af8d4bd8f59c1d8b88999e7dee9746dcee0f375848fb9701f3b61564e5 # latest node - sourceSignature: - issuerRegExp: https://token.actions.githubusercontent.com - subjectRegExp: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main - destination: ghcr.io/geonet/base-images/node:20 - - source: ghcr.io/geonet/base-images/mkdocs_plus:latest@sha256:d54c497b4ec5cce0c41b84e6afe5e4250c0b6ba499832ee977137f0f5e9c8a77 - sourceSignature: - issuerRegExp: https://token.actions.githubusercontent.com - # match signature before and after adopting reusable workflow - # as the identity of the subject changes depending on which workflow it's signed with - subjectRegExp: https://github.com/GeoNet/(base-images/.github/workflows/build.yml@refs/heads/main|Actions/.github/workflows/reusable-docker-build.yml@refs/heads/main) - destination: ghcr.io/geonet/base-images/mkdocs_plus:2023-06-14 - - source: ghcr.io/siderolabs/conform:v0.1.0-alpha.27@sha256:60e5c3cac83104077aff44a86518972f92cffb48d06c06486fb1f2711d4eb559 - destination: ghcr.io/geonet/base-images/siderolabs-conform:v0.1.0-alpha.27 - - source: quay.io/fedora/fedora:38@sha256:6349d2df6b4322c5690df1bb7743c45c356e20471dda69f27218cd9ba4a6c3c7 # 38 for 2024-01-28 - destination: ghcr.io/geonet/base-images/fedora:38 - auto-update-mutable-tag-digest: true - - source: quay.io/fedora/fedora:39@sha256:db1e965add87a948502e87388ae0c9cb2a7a8794d92c194de138f1dd294e3d56 # 39 for 2024-08-22 - destination: ghcr.io/geonet/base-images/fedora:39 - auto-update-mutable-tag-digest: true - - source: quay.io/fedora/fedora:40@sha256:049e6a118492f07a09edd91fbeac83fb7bbda1c395086d6a5ea1eebf6ea30561 # 40 for 2024-08-22 - destination: ghcr.io/geonet/base-images/fedora:40 - auto-update-mutable-tag-digest: true - - source: quay.io/fedora/fedora:39-aarch64@sha256:ebfdb91c0b45f0d4c17c40421aaf2d2af6631d95a740d9f7965b3ad52155c548 # 39-aarch64 for 2024-08-22 - destination: ghcr.io/geonet/base-images/fedora:39-aarch64 - auto-update-mutable-tag-digest: true - - source: quay.io/fedora/fedora:40-aarch64@sha256:621971c1750128aaa5f402cea4724de75696092d7ef97b5f9426c876c4b30ab6 # 40-aarch64 for 2024-08-22 - destination: ghcr.io/geonet/base-images/fedora:40-aarch64 - auto-update-mutable-tag-digest: true - - source: quay.io/fedora/fedora-coreos:stable@sha256:5240392ed4ffa33f4a0dbfb94ea9409583d42eaa5981403236ebeddd987f7cea # stable for 2024-08-22 - destination: ghcr.io/geonet/base-images/fedora-coreos:stable - auto-update-mutable-tag-digest: true - auto-update-mutable-tag-digest: true - - source: quay.io/centos/centos:stream8@sha256:20da069d4f8126c4517ee563e6e723d4cbe79ff62f6c4597f753478af91a09a3 # stream8 for 2024-06-05 - destination: ghcr.io/geonet/base-images/centos:stream8 - auto-update-mutable-tag-digest: true - - source: quay.io/centos/centos:stream9@sha256:a0017fa930fbbbb706509aafdb287b16d9d3d1672f09712a04ea634fea68a85d # stream9 for 2024-08-22 - destination: ghcr.io/geonet/base-images/centos:stream9 - auto-update-mutable-tag-digest: true - - source: cgr.dev/chainguard/curl:8.1.2@sha256:73992422b3e634c520483bb0aeda22c405d4701ccf5c2294c71d7f67373301cb - sourceSignature: - issuerRegExp: https://token.actions.githubusercontent.com - subjectRegExp: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main - destination: ghcr.io/geonet/base-images/curl:8.1.2 - - source: ghcr.io/zaproxy/zaproxy:20240402-stable@sha256:3280adc730131f1f4460ab226b0f85e3e9ab3301ef5a7030f745ac4dd6b6ff87 - destination: ghcr.io/geonet/base-images/zaproxy/zaproxy:20240402-stable - - source: docker.io/koalaman/shellcheck-alpine:v0.9.0@sha256:e19ed93c22423970d56568e171b4512c9244fc75dd9114045016b4a0073ac4b7 - destination: ghcr.io/geonet/base-images/shellcheck:v0.9.0 - - source: docker.io/tonistiigi/binfmt:latest@sha256:66e11bea77a5ea9d6f0fe79b57cd2b189b5d15b93a2bdb925be22949232e4e55 - destination: ghcr.io/geonet/base-images/binfmt:latest - auto-update-mutable-tag-digest: true - - source: quay.io/prometheus/prometheus:v2.53.0@sha256:075b1ba2c4ebb04bc3a6ab86c06ec8d8099f8fda1c96ef6d104d9bb1def1d8bc - destination: ghcr.io/geonet/base-images/prometheus:v2.53.0 - - source: docker.io/grafana/grafana-oss:11.1.0@sha256:079600c9517b678c10cda6006b4487d3174512fd4c6cface37df7822756ed7a5 - destination: ghcr.io/geonet/base-images/grafana/grafana-oss:11.1.0 build: # NOTES # - uses dirname of source as context for build diff --git a/hack/update-sync-image-digests.sh b/hack/update-sync-image-digests.sh deleted file mode 100755 index d5e8091..0000000 --- a/hack/update-sync-image-digests.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -cd "$(git rev-parse --show-toplevel)" || exit 1 - -for IMAGE in $(< ./config.yaml yq e '.. comments="" |= . | .sync[] | select(.auto-update-mutable-tag-digest==true) | .source' -P -); do - IMAGE_BASE="$(echo "$IMAGE" | cut -d'@' -f1)" - TAG="$(echo "$IMAGE" | cut -d: -f2 | cut -d@ -f1)" - DATE="$(date +%Y-%m-%d)" - NEW_IMAGE_DIGEST="$(crane digest "$IMAGE_BASE")" - NEW_IMAGE="$IMAGE_BASE@$NEW_IMAGE_DIGEST" - if [ "$IMAGE" = "$NEW_IMAGE" ]; then - echo "notice: image '$IMAGE_BASE' is already up to date" - continue - fi - echo "updating: image '$IMAGE_BASE'" - export FROM="$IMAGE" IMAGE="$NEW_IMAGE # $TAG for $DATE" - yq e -i 'with(.sync[] | select(.source==env(FROM)); .source = env(IMAGE))' ./config.yaml -done diff --git a/sync-ecr.yml b/sync-ecr.yml new file mode 100644 index 0000000..d34f2f7 --- /dev/null +++ b/sync-ecr.yml @@ -0,0 +1,4 @@ +docker.io: + tls-verify: true + images-by-semver: + datadog/agent: ">=7.51.0" diff --git a/sync-ghcr.yml b/sync-ghcr.yml new file mode 100644 index 0000000..5e7d134 --- /dev/null +++ b/sync-ghcr.yml @@ -0,0 +1,67 @@ +docker.io: + tls-verify: true + images-by-semver: + alpine: ">= 3.18.0" + vmware/govc: ">= v0.37.0" + grafana/grafana-oss: ">= 11.1.0" + images: + almalinux: + - '8.9' + - '8.10' + - '8.10-minimal' + redhat/ubi8: + - '8.9' + - '8.10' + redhat/ubi8-minimal: + - '8.9' + - '8.10' + debian: + - 'bookworm-slim' + hadolint/hadolint: + - 'v2.12.0-alpine' + python: + - 3.11.4-bullseye + - 3.12.2-bullseye + - 3.12.2-alpine3.19 + - 3.11.9-alpine3.19 + - 3.11.4-alpine3.18 + golang: + - 1.21.12-alpine3.20 + koalaman/shellcheck-alpine: + - v0.9.0 + tonistiigi/binfmt: + - latest +quay.io: + tls-verify: true + images: + fedora/fedora-coreos: + - stable + fedora/fedora: + - '39' + - '40' + - '40-aarch64' + centos/centos: + - stream8 + - stream9 + images-by-semver: + prometheus/prometheus: ">= v2.53.0" + +cgr.dev: + tls-verify: true + images-by-semver: + chainguard/curl: ">= 8.1.2" + images: + chainguard/node: + - '20' + chainguard/static: + - 'latest' + chainguard/nginx: + - 'latest' + +ghcr.io: + tls-verify: true + images-by-semver: + siderolabs/conform: ">= v0.1.0" + images: + zaproxy/zaproxy: + - '20240402-stable'