forked from konflux-ci/build-trusted-artifacts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcreate-oci.sh
executable file
·124 lines (102 loc) · 3.63 KB
/
create-oci.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#!/bin/bash
# Creates specified trusted artifacts in an OCI repository
#
# The --store parameter is an image reference used to specify the repository, e.g.
# registry.local/org/repo. If the image reference contains a tag, it is ignored.
#
# The --results parameter is unused. It is left here for compatibility with non-oci support.
#
# Positional parametes are artifact pairs. These are strings. Each contains two parts separated by
# an equal sign (=). The left portion refers to the name of the artifact while the right side
# specifies the files to be included in the artifact. The left portion is a filepath that specifies
# where the metadata about the created artifact will be written to. The right side denotes the file
# to be included in the artifact. If the file is a directory, the directory is includes recursively.
# For example, /home/user/artifact=/home/user/src means the artifact will be created with the
# contents of the /home/user/src. Information about this artifact will be written to
# /home/user/artifact.
#
set -o errexit
set -o nounset
set -o pipefail
tar_opts=-mczf
if [[ -v DEBUG ]]; then
tar_opts=-mcvzf
set -o xtrace
fi
# This ensures gzip does not add a modification time to the output. This helps in ensuring the
# archive digest is the same for the same content.
export GZIP=-n
# contains {result path}={artifact source path} pairs
artifact_pairs=()
while [[ $# -gt 0 ]]; do
case $1 in
--store)
store="$2"
shift
shift
;;
-*)
echo "Unknown option $1"
exit 1
;;
*)
artifact_pairs+=("$1")
shift
;;
esac
done
if [[ -z "${store:-}" ]]; then
echo "--store cannot be empty when creating OCI artifacts"
exit 1
fi
archive_dir="$(mktemp -d)"
artifacts=()
repo="$(echo -n $store | sed 's_/\(.*\):\(.*\)_/\1_g')"
for artifact_pair in "${artifact_pairs[@]}"; do
result_path="${artifact_pair/=*}"
path="${artifact_pair/*=}"
if [ -f "${path}/.skip-trusted-artifacts" ]; then
echo WARN: found skip file in "${path}"
continue
fi
artifact_name="$(basename ${result_path})"
archive="${archive_dir}/${artifact_name}"
# log "creating tar archive %s with files from %s" "${archive}" "${path}"
if [ ! -r "${path}" ]; then
# non-existent paths result in empty archives
tar "${tar_opts}" "${archive}" --files-from /dev/null
elif [ -d "${path}" ]; then
# archive the whole directory
tar "${tar_opts}" "${archive}" -C "${path}" .
else
# archive a single file
tar "${tar_opts}" "${archive}" -C "${path%/*}" "${path##*/}"
fi
sha256sum_output="$(sha256sum "${archive}")"
digest="${sha256sum_output/ */}"
echo -n "oci:${repo}@sha256:${digest}" > "${result_path}"
artifacts+=("${artifact_name}")
echo Prepared artifact from "${path} (sha256:${digest})"
done
if [[ -n "${IMAGE_EXPIRES_AFTER:-}" ]]; then
# If provided, oras requires the config file to be an existing file on disk. Using
# a here file, i.e. <(...), does not work.
config_file="$(mktemp)"
echo -n '{
"config": {
"Labels": {
"quay.expires-after": "'${IMAGE_EXPIRES_AFTER}'"
}
}
}' | jq . > "${config_file}"
config="${config_file}:application/vnd.oci.image.config.v1+json"
fi
if [ ${#artifacts[@]} != 0 ]; then
# read in any oras options
source oras_opts.sh
pushd "${archive_dir}" > /dev/null
oras push "${oras_opts[@]}" --registry-config <(select-oci-auth.sh ${repo}) "${store}" --config="${config:-}" \
"${artifacts[@]}"
popd > /dev/null
echo 'Artifacts created'
fi