forked from fluent/fluent-bit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
skopeo-sync.sh
executable file
·52 lines (49 loc) · 2.14 KB
/
skopeo-sync.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/bin/bash
set -eu
# Simple script to handle skopeo copying of images from staging to release registries.
# Simplifies usage in actions and handles any GPG set up.
#
# Optional variables:
# GPG_KEY - the name/fingerprint of a locally installed GPG key to use for signing images on release.
#
# Required to be set prior to calling this:
# VERSION - the tag we are releasing, e.g. 1.9.1
# RELEASE_CREDS - the credentials required to push images to the release registry
# STAGING_IMAGE_NAME - the source image to pull from staging
# RELEASE_IMAGE_NAME - the destination image for pushing to release
# We do it tag-by-tag as Cosign signatures cause problems for Skopeo plus
# this prevents us releasing the wrong subset of images in staging if we use `sync`
declare -a TAGS_TO_SYNC=("$VERSION" "latest" "$VERSION-debug" "latest-debug")
for TAG in "${TAGS_TO_SYNC[@]}" ; do
# Copy all architectures
# Use the skopeo image as it is not available until Ubuntu 20.10
if [[ -z "$GPG_KEY" ]]; then
docker run --rm \
quay.io/skopeo/stable:latest \
copy \
--all \
--src-no-creds \
--dest-creds "$RELEASE_CREDS" \
"docker://$STAGING_IMAGE_NAME:$TAG" \
"docker://$RELEASE_IMAGE_NAME:$TAG"
else
# We first need to import the key then copy over the image all in the same container.
rm -rf /tmp/skopeo-gpg/
mkdir -p /tmp/skopeo-gpg/
gpg --output /tmp/skopeo-gpg/private.gpg --export-secret-key --armor --export "$GPG_KEY"
# There's no good way to import the key into the container currenty so we hijack the entrypoint.
docker run --rm \
-v /tmp/skopeo-gpg:/skopeo-gpg \
--entrypoint=/bin/bash \
quay.io/skopeo/stable:latest -c "\
gpg --import /skopeo-gpg/private.gpg && \
skopeo \
copy \
--all --remove-signatures \
--sign-by $GPG_KEY \
--src-no-creds \
--dest-creds $RELEASE_CREDS \
docker://$STAGING_IMAGE_NAME:$TAG \
docker://$RELEASE_IMAGE_NAME:$TAG "
fi
done