-
Notifications
You must be signed in to change notification settings - Fork 77
79 lines (71 loc) · 3.34 KB
/
sync-preprod-to-prod.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#
# Copyright 2022 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Sync Preprod Repository with GCS Prod Bucket
on:
workflow_dispatch:
jobs:
sync:
if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing') || (github.event_name != 'schedule') # Don't run workflow in forks on cron
runs-on: ubuntu-latest
permissions:
id-token: 'write'
steps:
# Setup OIDC->SA auth
- uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
id: auth
with:
token_format: 'access_token'
workload_identity_provider: 'projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
service_account: 'tuf-gha@project-rekor.iam.gserviceaccount.com'
create_credentials_file: true
- uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
with:
project_id: project-rekor
- name: login
run: |
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
gcloud auth list
- name: sync
run: |
# download preprod bucket and copy over to production bucket
gcloud --quiet storage cp -r gs://sigstore-preprod-tuf-root/ .
# upload all but TUF timestamp. Once timestamp is uploaded, all other files must have been uploaded.
for f in $(ls sigstore-preprod-tuf-root/ -I *timestamp.json)
do
gcloud --quiet storage cp --cache-control=no-store -r sigstore-preprod-tuf-root/$f gs://sigstore-tuf-root/
done
# upload timestamp
gcloud --quiet storage cp --cache-control=no-store -r sigstore-preprod-tuf-root/*timestamp.json gs://sigstore-tuf-root/
# delete any files present in sigstore-tuf-root not in sigstore-preprod-tuf-root
gcloud --quiet storage cp -r gs://sigstore-tuf-root/ .
diff -qr sigstore-preprod-tuf-root sigstore-tuf-root | while read l; do
if [[ $l =~ "Only in sigstore-tuf-root" ]]; then
path=$(python3 -c "import re; s='$l'; pattern=r'^Only in sigstore-tuf-root(\/?)(.*): (.*)$'; match=re.search(pattern, s); print('/'.join([match.group(2), match.group(3)]).lstrip('/'))")
gcloud --quiet storage rm gs://sigstore-tuf-root/$path
fi;
done
gcloud compute url-maps invalidate-cdn-cache tuf-repo-cdn-lb --path "/*" --async
if-failed:
runs-on: ubuntu-latest
needs: [sync]
permissions:
issues: 'write'
actions: 'read'
if: always() && needs.sync.result == 'failure'
steps:
- name: Open issue or add comment on failure
uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main
with:
comment_for_each_failure: true