Merge pull request #1 from imjasonh/initial

initial commit

Author: imjasonh

README.md

@@ -0,0 +1,27 @@
+# Setup `chainctl`
+
+This action installs the latest `chainctl` binary for a particular environment
+and authenticates with it using identity tokens.
+
+## Usage
+
+```yaml
+- uses: chainguard-dev/setup-chainctl@main
+  with:
+    # the ID of the identity this workload should assume when speaking to Chainguard APIs.
+    identity: "..."
+```
+
+## Scenarios
+
+```yaml
+permissions:
+  id-token: write
+
+steps:
+- uses: chainguard-dev/setup-chainctl@main
+  with:
+    identity: "deadbeef/badf00d"
+```
+
+See [Authenticating to Chainguard Registry](https://edu.chainguard.dev/chainguard/chainguard-images/registry/authenticating/#authenticating-with-github-actions) for more information about creating an identity to pull images from cgr.dev from GitHub Actions, using `setup-chainctl`.

action.yaml

@@ -0,0 +1,115 @@
+# Copyright 2022 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+name: 'Setup chainctl'
+description: |
+  This action sets up the Chainguard chainctl CLI and authenticates
+  it against the target environment.
+
+inputs:
+  environment:
+    description: |
+      Determines the environment from which to download the chainctl
+      binary from.
+    required: true
+    default: enforce.dev
+
+  identity:
+    description: |
+      The id of the identity that this workflow should assume for
+      performing actions with chainctl.
+    required: false
+
+  audience:
+    description: |
+      Specifies the identity token audience to use when creating an
+      identity token to authenticate with Chainguard.
+      Defaults to issuer.${environment}
+
+      This field is DEPRECATED, use identity instead.
+    required: false
+
+  invite-code:
+    description: |
+      Optionally specifies an invite code that allows this workflow
+      register itself when run for the first time.
+
+      Use of invite codes is DEPRECATED, use identity instead.
+    required: false
+
+runs:
+  using: "composite"
+
+  steps:
+    - name: Install chainctl
+      shell: bash
+      run: |
+        cd $(mktemp -d)
+        wget --quiet -U "GitHub setup-chainctl" -O chainctl "https://dl.${{ inputs.environment }}/chainctl/latest/chainctl_linux_$(uname -m)"
+        CHAINCTL_INSTALL_PATH="${HOME}/.local/bin"
+        # Ensure install directory is on the PATH for future steps
+        echo "${CHAINCTL_INSTALL_PATH}" >> "${GITHUB_PATH}"
+        install -D --mode 0555 ./chainctl --target-directory "${CHAINCTL_INSTALL_PATH}"
+
+    - name: Authenticate with Chainguard (assumed identity)
+      shell: bash
+      if: ${{ inputs.identity != '' }}
+      env:
+        CHAINCTL_DEBUG: "true"
+      run: |
+        if chainctl auth login --identity "${{ inputs.identity }}"; then
+          echo Logged in as ${{ inputs.identity }}!
+        else
+          echo Unable to assume the identity ${{ inputs.identity }}.
+          exit 1
+        fi
+        if ! chainctl auth configure-docker --identity "${{ inputs.identity }}"; then
+          echo Unable to register credential helper as ${{ inputs.identity }}.
+          exit 1
+        fi
+
+    - name: Authenticate with Chainguard (DEPRECATED invite-code)
+      shell: bash
+      if: ${{ inputs.invite-code != '' }}
+      env:
+        CHAINGUARD_INVITE_CODE: ${{ inputs.invite-code }}
+        CHAINCTL_DEBUG: "true"
+      run: |
+        echo "::warning::The use of invite codes with Github actions is deprecated, use assumed identities instead."
+
+        AUDIENCE="${{ inputs.audience }}"
+        if [[ -z "${AUDIENCE}" ]]; then
+          AUDIENCE=issuer.${{ inputs.environment }}
+        fi
+        IDTOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=${AUDIENCE}" | jq -r '.value')
+
+        # This will start failing once the invite code expires, which is why we have the login guard.
+        if chainctl auth login --create-group=false --identity-token "${IDTOKEN}" --invite-code="${CHAINGUARD_INVITE_CODE}"; then
+          echo Logged in!
+        else
+          echo Failed to log in with invite code
+          exit 1
+        fi
+
+    - name: Authenticate with Chainguard (DEPRECATED registered identity)
+      shell: bash
+      if: ${{ inputs.identity == '' && inputs.invite-code == '' }}
+      env:
+        CHAINGUARD_INVITE_CODE: ${{ inputs.invite-code }}
+        CHAINCTL_DEBUG: "true"
+      run: |
+        echo "::warning::The use of registered Github actions identities is deprecated, use assumed identities instead."
+
+        AUDIENCE="${{ inputs.audience }}"
+        if [[ -z "${AUDIENCE}" ]]; then
+          AUDIENCE=issuer.${{ inputs.environment }}
+        fi
+        IDTOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=${AUDIENCE}" | jq -r '.value')
+
+        if chainctl auth login --identity-token "${IDTOKEN}"; then
+          echo Logged in!
+        else
+          echo No invite code is present!  Failing since registration will not do any good.
+          echo Configure a secret named CHAINGUARD_INVITE_CODE to have this workload register itself.
+          exit 1
+        fi