-
Notifications
You must be signed in to change notification settings - Fork 9
158 lines (144 loc) · 5.76 KB
/
update-ca-cert.yaml
File metadata and controls
158 lines (144 loc) · 5.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: Update CA cert hash in datastream
on:
workflow_dispatch:
schedule:
- cron: "0 1 * * *" # Daily at 1 AM UTC
push:
branches:
- main
paths:
- ".github/workflows/update-ca-cert.yaml"
- "ssg-chainguard-gpos-ds.xml"
concurrency:
group: update-ca-cert-${{ github.ref }}
cancel-in-progress: false
permissions:
contents: read
jobs:
update-ca-cert:
runs-on: ubuntu-latest
if: ${{ github.repository_owner == 'chainguard-dev' }}
timeout-minutes: 10
permissions:
contents: read
id-token: write
pull-requests: write
issues: write
env:
IMAGE_REF: cgr.dev/chainguard/wolfi-base:latest
DATASTREAM_PATH: gpos/xml/scap/ssg/content/ssg-chainguard-gpos-ds.xml
TESTS_PATH: tests
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Harden Runner
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Generate token for PR
uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
id: octo-sts
with:
scope: ${{ github.repository }}
identity: ca-cert-updater
- name: Install cosign
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
- name: Setup crane
uses: imjasonh/setup-crane@6da1ae018866400525525ce74ff892880c099987 # v0.5
- name: Pull and verify image
id: image
run: |
set -euo pipefail
DIGEST=$(crane digest "${IMAGE_REF}")
FULL_REF="${IMAGE_REF%:*}@${DIGEST}"
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
echo "full_ref=${FULL_REF}" >> "$GITHUB_OUTPUT"
# Verify signature
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp "https://github.com/chainguard-images/images/.*" \
"${FULL_REF}" || {
echo "::error::Image signature verification failed"
exit 1
}
- name: Extract CA certificate SHA
id: ca
run: |
set -euo pipefail
SHA=$(crane export "${{ steps.image.outputs.full_ref }}" - | \
tar -xO etc/ssl/certs/ca-certificates.crt | \
sha256sum | cut -d' ' -f1)
echo "sha=${SHA}" >> "$GITHUB_OUTPUT"
cat >> "$GITHUB_STEP_SUMMARY" <<EOF
### CA Certificate Update
- **Image**: \`${IMAGE_REF}\`
- **Digest**: \`${{ steps.image.outputs.digest }}\`
- **CA SHA256**: \`${SHA}\`
EOF
- name: Update datastream with new SHA
id: update
env:
CA_CERT_SHA: ${{ steps.ca.outputs.sha }}
run: |
set -euo pipefail
# Check if datastream exists
if [ ! -f "${DATASTREAM_PATH}" ]; then
echo "::error::Datastream file not found: ${DATASTREAM_PATH}"
exit 1
fi
# Create backup
cp "${DATASTREAM_PATH}" "${DATASTREAM_PATH}.bak"
# Update SHA in datastream
sed -i -E "s|(<[^>]*hash>)[^<]*(</[^>]*hash>)|\1${CA_CERT_SHA}\2|g" "${DATASTREAM_PATH}"
# Check if file changed
if diff -q "${DATASTREAM_PATH}.bak" "${DATASTREAM_PATH}" > /dev/null; then
echo "No changes needed - SHA already up to date"
echo "changed=false" >> "$GITHUB_OUTPUT"
rm "${DATASTREAM_PATH}.bak"
else
echo "Updated datastream with new SHA: ${CA_CERT_SHA}"
echo "changed=true" >> "$GITHUB_OUTPUT"
rm "${DATASTREAM_PATH}.bak"
fi
# Show what was updated for the summary
echo "### Datastream Update Summary" >> "$GITHUB_STEP_SUMMARY"
echo "- **File**: \`${DATASTREAM_PATH}\`" >> "$GITHUB_STEP_SUMMARY"
echo "- **New SHA**: \`${CA_CERT_SHA}\`" >> "$GITHUB_STEP_SUMMARY"
if [ "${{ steps.update.outputs.changed }}" == "true" ]; then
echo "- **Status**: Updated" >> "$GITHUB_STEP_SUMMARY"
else
echo "- **Status**: Already up-to-date" >> "$GITHUB_STEP_SUMMARY"
fi
- name: Setup gitsign
if: steps.update.outputs.changed == 'true'
uses: chainguard-dev/actions/setup-gitsign@7440e20e3e0bb180a2f6e330bcd53504e2ac8980 # v1.6.8
- name: Create Pull Request
if: steps.update.outputs.changed == 'true'
uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
id: cpr
with:
token: ${{ steps.octo-sts.outputs.token }}
commit-message: |
chore(oscap): update CA cert SHA from Wolfi
Image: ${{ env.IMAGE_REF }}
Digest: ${{ steps.image.outputs.digest }}
CA SHA: ${{ steps.ca.outputs.sha }}
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
branch: update-ca-cert-${{ steps.ca.outputs.sha }}
delete-branch: true
title: "chore(oscap): update CA cert SHA"
body: |
## CA Certificate Update
Updates the CA certificate hash in OSCAP datastream.
- **Image**: `${{ env.IMAGE_REF }}`
- **Digest**: `${{ steps.image.outputs.digest }}`
- **New CA SHA256**: `${{ steps.ca.outputs.sha }}`
labels: |
automated pr
#- name: Enable auto-merge
# if: steps.cpr.outputs.pull-request-number != ''
# run: |
# gh pr merge --auto --squash \
# "https://github.com/${{ github.repository }}/pull/${{ steps.cpr.outputs.pull-request-number }}"
# env:
# GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}