Update CA cert hash in datastream #125
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update CA cert hash in datastream | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "0 1 * * *" # Daily at 1 AM UTC | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - ".github/workflows/update-ca-cert.yaml" | |
| - "ssg-chainguard-gpos-ds.xml" | |
| concurrency: | |
| group: update-ca-cert-${{ github.ref }} | |
| cancel-in-progress: false | |
| permissions: | |
| contents: read | |
| jobs: | |
| update-ca-cert: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.repository_owner == 'chainguard-dev' }} | |
| timeout-minutes: 10 | |
| permissions: | |
| contents: read | |
| id-token: write | |
| pull-requests: write | |
| issues: write | |
| env: | |
| IMAGE_REF: cgr.dev/chainguard/wolfi-base:latest | |
| DATASTREAM_PATH: gpos/xml/scap/ssg/content/ssg-chainguard-gpos-ds.xml | |
| TESTS_PATH: tests | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 | |
| with: | |
| egress-policy: audit | |
| - name: Generate token for PR | |
| uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1 | |
| id: octo-sts | |
| with: | |
| scope: ${{ github.repository }} | |
| identity: ca-cert-updater | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - name: Setup crane | |
| uses: imjasonh/setup-crane@6da1ae018866400525525ce74ff892880c099987 # v0.5 | |
| - name: Pull and verify image | |
| id: image | |
| run: | | |
| set -euo pipefail | |
| DIGEST=$(crane digest "${IMAGE_REF}") | |
| FULL_REF="${IMAGE_REF%:*}@${DIGEST}" | |
| echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" | |
| echo "full_ref=${FULL_REF}" >> "$GITHUB_OUTPUT" | |
| # Verify signature | |
| cosign verify \ | |
| --certificate-oidc-issuer https://token.actions.githubusercontent.com \ | |
| --certificate-identity-regexp "https://github.com/chainguard-images/images/.*" \ | |
| "${FULL_REF}" || { | |
| echo "::error::Image signature verification failed" | |
| exit 1 | |
| } | |
| - name: Extract CA certificate SHA | |
| id: ca | |
| run: | | |
| set -euo pipefail | |
| SHA=$(crane export "${{ steps.image.outputs.full_ref }}" - | \ | |
| tar -xO etc/ssl/certs/ca-certificates.crt | \ | |
| sha256sum | cut -d' ' -f1) | |
| echo "sha=${SHA}" >> "$GITHUB_OUTPUT" | |
| cat >> "$GITHUB_STEP_SUMMARY" <<EOF | |
| ### CA Certificate Update | |
| - **Image**: \`${IMAGE_REF}\` | |
| - **Digest**: \`${{ steps.image.outputs.digest }}\` | |
| - **CA SHA256**: \`${SHA}\` | |
| EOF | |
| - name: Update datastream with new SHA | |
| id: update | |
| env: | |
| CA_CERT_SHA: ${{ steps.ca.outputs.sha }} | |
| run: | | |
| set -euo pipefail | |
| # Check if datastream exists | |
| if [ ! -f "${DATASTREAM_PATH}" ]; then | |
| echo "::error::Datastream file not found: ${DATASTREAM_PATH}" | |
| exit 1 | |
| fi | |
| # Create backup | |
| cp "${DATASTREAM_PATH}" "${DATASTREAM_PATH}.bak" | |
| # Update SHA in datastream | |
| sed -i -E "s|(<[^>]*hash>)[^<]*(</[^>]*hash>)|\1${CA_CERT_SHA}\2|g" "${DATASTREAM_PATH}" | |
| # Check if file changed | |
| if diff -q "${DATASTREAM_PATH}.bak" "${DATASTREAM_PATH}" > /dev/null; then | |
| echo "No changes needed - SHA already up to date" | |
| echo "changed=false" >> "$GITHUB_OUTPUT" | |
| rm "${DATASTREAM_PATH}.bak" | |
| else | |
| echo "Updated datastream with new SHA: ${CA_CERT_SHA}" | |
| echo "changed=true" >> "$GITHUB_OUTPUT" | |
| rm "${DATASTREAM_PATH}.bak" | |
| fi | |
| # Show what was updated for the summary | |
| echo "### Datastream Update Summary" >> "$GITHUB_STEP_SUMMARY" | |
| echo "- **File**: \`${DATASTREAM_PATH}\`" >> "$GITHUB_STEP_SUMMARY" | |
| echo "- **New SHA**: \`${CA_CERT_SHA}\`" >> "$GITHUB_STEP_SUMMARY" | |
| if [ "${{ steps.update.outputs.changed }}" == "true" ]; then | |
| echo "- **Status**: Updated" >> "$GITHUB_STEP_SUMMARY" | |
| else | |
| echo "- **Status**: Already up-to-date" >> "$GITHUB_STEP_SUMMARY" | |
| fi | |
| - name: Setup gitsign | |
| if: steps.update.outputs.changed == 'true' | |
| uses: chainguard-dev/actions/setup-gitsign@4ed96e952ef2982fe89a50f3c40e9643bb9fe803 # v1.6.3 | |
| - name: Create Pull Request | |
| if: steps.update.outputs.changed == 'true' | |
| uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 | |
| id: cpr | |
| with: | |
| token: ${{ steps.octo-sts.outputs.token }} | |
| commit-message: | | |
| chore(oscap): update CA cert SHA from Wolfi | |
| Image: ${{ env.IMAGE_REF }} | |
| Digest: ${{ steps.image.outputs.digest }} | |
| CA SHA: ${{ steps.ca.outputs.sha }} | |
| Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> | |
| branch: update-ca-cert-${{ steps.ca.outputs.sha }} | |
| delete-branch: true | |
| title: "chore(oscap): update CA cert SHA" | |
| body: | | |
| ## CA Certificate Update | |
| Updates the CA certificate hash in OSCAP datastream. | |
| - **Image**: `${{ env.IMAGE_REF }}` | |
| - **Digest**: `${{ steps.image.outputs.digest }}` | |
| - **New CA SHA256**: `${{ steps.ca.outputs.sha }}` | |
| labels: | | |
| automated pr | |
| #- name: Enable auto-merge | |
| # if: steps.cpr.outputs.pull-request-number != '' | |
| # run: | | |
| # gh pr merge --auto --squash \ | |
| # "https://github.com/${{ github.repository }}/pull/${{ steps.cpr.outputs.pull-request-number }}" | |
| # env: | |
| # GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} |