-
Notifications
You must be signed in to change notification settings - Fork 2
105 lines (84 loc) · 3.96 KB
/
Copy pathvendor-libraries.yaml
File metadata and controls
105 lines (84 loc) · 3.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
name: vendor-libraries
on:
workflow_dispatch:
env:
CLEAR_SRC_ULTRALYTICS: "false"
OVERWRITE_CHAINGUARD_LIBRARIES: "true"
OVERWRITE_PYPI_BEFORE_ATTACK: "false"
permissions: {}
jobs:
setup:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
fetch-depth: 0
ref: ${{ github.ref }}
- name: Setup Git
run: |
git config --global user.email "gha@users.noreply.github.com"
git config --global user.name "github-actions"
- uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
id: octo-sts
with:
scope: chainguard-dev/libraries-ultralytics-attack-demo
identity: vendor-libraries
- name: Clear contents of src/ultralytics
if: env.CLEAR_SRC_ULTRALYTICS == 'true'
run: |
echo "Clearing src/ultralytics/"
rm -rf src/ultralytics || true
git rm -r vendored/* || true
mkdir -p src/ultralytics
git add src/ultralytics/
git commit --allow-empty -m "Cleared src/ultralytics due to CLEAR_SRC_ULTRALYTICS==true"
git push origin HEAD
- name: Auth for Chainguard Libraries
if: env.OVERWRITE_CHAINGUARD_LIBRARIES == 'true'
uses: chainguard-dev/setup-chainctl@be0acd273acf04bfdf91f51198327e719f6af978 #v0.4.0
with:
identity: "4cf15780a13a9b6576d8b357e6524554c8c12a18/aab27dc39ad870c9"
- name: Verify Chainguard Library from CHAINGUARD_LIBRARIES
if: env.OVERWRITE_CHAINGUARD_LIBRARIES == 'true'
run: |
set -euo pipefail
echo "Verifying ultralytics from Chainguard Libraries..."
mkdir -p tmp_wheels tmp_unzip
eval $(chainctl auth pull-token --repository=python --parent=cgr-demo.com --ttl=1m --output=env)
curl -L --user "$CHAINGUARD_PYTHON_IDENTITY_ID:$CHAINGUARD_PYTHON_TOKEN" \
-o tmp_wheels/ultralytics-8.3.40-py3-none-any.whl
chainctl libraries verify tmp_wheels/ultralytics-8.3.40-py3-none-any.whl
- name: Vendor from CHAINGUARD_LIBRARIES
if: env.OVERWRITE_CHAINGUARD_LIBRARIES == 'true'
run: |
unzip tmp_wheels/ultralytics-8.3.40-py3-none-any.whl -d tmp_unzip
rm -rf vendor/ultralytics-chainguard || true
mkdir -p vendor/ultralytics-chainguard
mv tmp_unzip/ultralytics/* vendor/ultralytics-chainguard/
rm -rf tmp_wheels tmp_unzip
git add vendor/ultralytics-chainguard/
git commit -m "Vendored ultralytics from Chainguard Libraries"
git push origin HEAD
- name: populate ultralytics 8-3-39
if: env.OVERWRITE_PYPI_BEFORE_ATTACK == 'true'
run: |
echo "Resetting vendor/ultralytics-before-attack to community ultralytics v8.3.39 from GitHub"
mkdir -p tmp_wheels tmp_unzip
curl -L -o tmp_wheels/ultralytics-8.3.39-py3-none-any.whl \
https://files.pythonhosted.org/packages/e7/66/3c3fd38fc2350b5c376bcfc44fa682dc4282d39856d3dfc54679a8bcec7e/ultralytics-8.3.39-py3-none-any.whl
rm -rf vendor/ultralytics-before-attack || true
mkdir -p vendor/ultralytics-before-attack
unzip tmp_wheels/ultralytics-8.3.39-py3-none-any.whl -d tmp_unzip
mv tmp_unzip/ultralytics/* vendor/ultralytics-before-attack/
rm -rf tmp_wheels tmp_unzip
git add vendor/ultralytics-before-attack
git commit --allow-empty -m "Reset to community ultralytics v8.3.39 from GitHub"
git push origin HEAD