chainguard Integration

.github/actions/build-push-kotsadm-image/action.yml

@@ -0,0 +1,97 @@
+name: 'Build and push kotsadm image'
+description: 'Composite action for building and pushing kotsadm image'
+inputs:
+  chainguard-gcp-wif-pool:
+    description: 'GCP workload identity pool for Chainguard'
+    required: true
+
+  chainguard-gcp-sa:
+    description: 'GCP service account for Chainguard'
+    required: true
+
+  chainguard-gcp-project-id:
+    description: 'GCP project ID for Chainguard'
+    required: true
+
+  image-name:
+    description: 'Full destination kotsadm image name'
+    required: true
+
+  git-tag:
+    description: 'Git tag'
+    required: true
+
+  registry-username:
+    description: 'Username to login to registry'
+    default: ''
+    required: false
+
+  registry-password:
+    description: 'Password to login to registry'
+    default: ''
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
+      with:
+        workload_identity_provider: ${{ inputs.chainguard-gcp-wif-pool }}
+        service_account: ${{ inputs.chainguard-gcp-sa }}
+
+    - uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
+      with:
+        project_id: ${{ inputs.chainguard-gcp-project-id }}
+
+    - name: setup packages gcsfuse
+      env:
+        BUCKET: replicated-apk-registry
+      shell: bash
+      run: |
+        # Install gcsfuse
+        export GCSFUSE_REPO=gcsfuse-`lsb_release -c -s`
+        echo "deb [signed-by=/usr/share/keyrings/cloud.google.asc] https://packages.cloud.google.com/apt $GCSFUSE_REPO main" | sudo tee /etc/apt/sources.list.d/gcsfuse.list
+        curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo tee /usr/share/keyrings/cloud.google.asc
+        sudo apt-get update -y
+        sudo apt-get install gcsfuse -y
+
+        # Set up a gcsfuse RO mount to the bucket containing private packages. This is a cheap and
+        # cheerful way to get access to objects we need, without having to fetch all of them.
+        mkdir -p /tmp/gcsfuse/apk-repo
+        gcsfuse -o ro --implicit-dirs --only-dir os ${BUCKET} /tmp/gcsfuse/apk-repo
+
+        # Symlink the gcsfuse mount to ./packages/$arch/*.apk
+        mkdir -p ./packages/x86_64
+        ln -s /tmp/gcsfuse/apk-repo/x86_64/*.apk ./packages/x86_64/
+
+        # Make a copy of the APKINDEX.* since we'll need to write to it on package builds
+        cp /tmp/gcsfuse/apk-repo/x86_64/APKINDEX.* ./packages/x86_64/
+
+        ls -lR ./packages/
+
+    - name: template melange and apko configs
+      shell: bash
+      run: |
+        export GIT_TAG=${{ inputs.git-tag }}
+        envsubst '${GIT_TAG}' < deploy/melange.yaml.tmpl > deploy/melange.yaml
+        envsubst '${GIT_TAG}' < deploy/apko.yaml.tmpl > deploy/apko.yaml
+
+    - id: cache-dir
+      shell: bash
+      run: echo "cache_dir=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
+
+    - uses: chainguard-dev/actions/melange-build@main
+      with:
+        config: deploy/melange.yaml
+        archs: x86_64
+        sign-with-temporary-key: true
+        cache-dir: ${{ steps.cache-dir.outputs.cache_dir }}
+
+    - uses: chainguard-images/actions/apko-publish@main
+      with:
+        config: deploy/apko.yaml
+        archs: x86_64
+        tag: ${{ inputs.image-name }}
+        vcs-url: true
+        generic-user: ${{ inputs.registry-username }}
+        generic-pass: ${{ inputs.registry-password }}