vendor-libraries #9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: vendor-libraries | |
| on: | |
| workflow_dispatch: | |
| env: | |
| CLEAR_SRC_ULTRALYTICS: "false" | |
| OVERWRITE_CHAINGUARD_LIBRARIES: "true" | |
| OVERWRITE_PYPI_BEFORE_ATTACK: "false" | |
| permissions: {} | |
| jobs: | |
| setup: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| id-token: write | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.ref }} | |
| - name: Setup Git | |
| run: | | |
| git config --global user.email "gha@users.noreply.github.com" | |
| git config --global user.name "github-actions" | |
| - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0 | |
| id: octo-sts | |
| with: | |
| scope: chainguard-dev/libraries-ultralytics-attack-demo | |
| identity: vendor-libraries | |
| - name: Clear contents of src/ultralytics | |
| if: env.CLEAR_SRC_ULTRALYTICS == 'true' | |
| run: | | |
| echo "Clearing src/ultralytics/" | |
| rm -rf src/ultralytics || true | |
| git rm -r vendored/* || true | |
| mkdir -p src/ultralytics | |
| git add src/ultralytics/ | |
| git commit --allow-empty -m "Cleared src/ultralytics due to CLEAR_SRC_ULTRALYTICS==true" | |
| git push origin HEAD | |
| - name: Auth for Chainguard Libraries | |
| if: env.OVERWRITE_CHAINGUARD_LIBRARIES == 'true' | |
| uses: chainguard-dev/setup-chainctl@be0acd273acf04bfdf91f51198327e719f6af978 #v0.4.0 | |
| with: | |
| identity: "4cf15780a13a9b6576d8b357e6524554c8c12a18/aab27dc39ad870c9" | |
| - name: Install cosign for chainctl libraries verify | |
| if: env.OVERWRITE_CHAINGUARD_LIBRARIES == 'true' | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad #v4.0.0 | |
| - name: Verify Chainguard Library from CHAINGUARD_LIBRARIES | |
| if: env.OVERWRITE_CHAINGUARD_LIBRARIES == 'true' | |
| run: | | |
| set -euo pipefail | |
| echo "Verifying ultralytics from Chainguard Libraries..." | |
| mkdir -p tmp_wheels tmp_unzip | |
| eval $(chainctl auth pull-token --repository=python --parent=cgr-demo.com --ttl=1m --output=env) | |
| curl -L --user "$CHAINGUARD_PYTHON_IDENTITY_ID:$CHAINGUARD_PYTHON_TOKEN" \ | |
| -o tmp_wheels/ultralytics-8.3.40-py3-none-any.whl \ | |
| https://libraries.cgr.dev/python/files/15f7d141c3b76b85/37e321caa85a8f41/ultralytics/ultralytics-8.3.40-py3-none-any.whl#sha256=b2b05c4c61b6a93fb4c7c052c47cd6c30ab7915131dee70a862da1a09acf3d85 | |
| chainctl libraries verify tmp_wheels/ultralytics-8.3.40-py3-none-any.whl | |
| - name: Vendor from CHAINGUARD_LIBRARIES | |
| if: env.OVERWRITE_CHAINGUARD_LIBRARIES == 'true' | |
| run: | | |
| echo "Vendoring ultralytics from Chainguard Libraries..." | |
| unzip tmp_wheels/ultralytics-8.3.40-py3-none-any.whl -d tmp_unzip | |
| rm -rf vendor/ultralytics-chainguard || true | |
| mkdir -p vendor/ultralytics-chainguard | |
| mv tmp_unzip/ultralytics/* vendor/ultralytics-chainguard/ | |
| rm -rf tmp_wheels tmp_unzip | |
| git add vendor/ultralytics-chainguard/ | |
| if git diff --cached --quiet; then | |
| echo "No changes detected in vendor/ultralytics-chainguard — skipping commit" | |
| exit 0 | |
| fi | |
| git commit -m "Vendored ultralytics from Chainguard Libraries" | |
| git push origin HEAD | |
| - name: populate ultralytics 8-3-39 | |
| if: env.OVERWRITE_PYPI_BEFORE_ATTACK == 'true' | |
| run: | | |
| echo "Resetting vendor/ultralytics-before-attack to community ultralytics v8.3.39 from GitHub" | |
| mkdir -p tmp_wheels tmp_unzip | |
| curl -L -o tmp_wheels/ultralytics-8.3.39-py3-none-any.whl \ | |
| https://files.pythonhosted.org/packages/e7/66/3c3fd38fc2350b5c376bcfc44fa682dc4282d39856d3dfc54679a8bcec7e/ultralytics-8.3.39-py3-none-any.whl | |
| rm -rf vendor/ultralytics-before-attack || true | |
| mkdir -p vendor/ultralytics-before-attack | |
| unzip tmp_wheels/ultralytics-8.3.39-py3-none-any.whl -d tmp_unzip | |
| mv tmp_unzip/ultralytics/* vendor/ultralytics-before-attack/ | |
| rm -rf tmp_wheels tmp_unzip | |
| git add vendor/ultralytics-before-attack | |
| git commit --allow-empty -m "Reset to community ultralytics v8.3.39 from GitHub" | |
| git push origin HEAD | |