diff --git a/.github/workflows/reinstate-images.yaml b/.github/workflows/reinstate-images.yaml new file mode 100644 index 000000000..6cd4f0961 --- /dev/null +++ b/.github/workflows/reinstate-images.yaml @@ -0,0 +1,41 @@ +on: + workflow_dispatch: + inputs: + dry_run: + type: boolean + default: 'true' + description: If true, just log + +permissions: + contents: read + +jobs: + reinstate: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + steps: + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 + - uses: chainguard-dev/setup-chainctl@598499528905f95b94e62e4831cf42035e768933 # v0.2.3 + with: + identity: 720909c9f5279097d847ad02a2f24ba8f59de36a/b6461e99e132298f + - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 + - name: Reinstate images + env: + DRY_RUN: ${{ github.event.inputs.dry_run }} + run: | + set -x + for img in $(grep -v '\#' reinstated-images.txt); do + tag_ref="$(echo $img | cut -d@ -f1)" + digest_ref="$(echo $img | sed 's/:[^@]*@/@/')" + # Note: if "crane digest" passes, do not attempt to retag it + if [[ "$DRY_RUN" == "false" ]]; then + crane digest "$tag_ref" || crane tag "$digest_ref" "$tag_ref" || true + else + echo "DRY RUN: crane digest "$tag_ref" || crane tag "$digest_ref" "$tag_ref" || true" + fi + done diff --git a/reinstated-images.txt b/reinstated-images.txt new file mode 100644 index 000000000..1b3eb4d5e --- /dev/null +++ b/reinstated-images.txt @@ -0,0 +1,3 @@ +# These 2 are just for testing +cgr.dev/chainguard/curl:test1@sha256:8bf944b98bdef5ab6b4ef4bd6992d6a5ad5c008b51c119a78ffc385273a36eec +cgr.dev/chainguard/curl:test1-dev@sha256:98e4086d13835d7355e6c833472deed831e118becfd65fb806f951f2900efa4c