chore: add oci + release workflow (#34)

Co-authored-by: razzle <[email protected]>

Author: AustinAbro321

.gitattributes

@@ -0,0 +1,2 @@
+# Set this repository to use unix style line endings
+* text eol=lf

.github/workflows/lint.yaml

@@ -1,4 +1,4 @@
-name: Lint
+name: Lint and fmt
 on:
   pull_request:
     paths-ignore:
@@ -24,6 +24,15 @@ jobs:
       - name: Checkout
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
 
+      - name: Install tools
+        uses: ./.github/actions/install-tools
+
+      - name: ensure proper go formatting
+        run: make check-fmt
+
+      - name: ensure all modules are on the same go version
+        run: make check-go-version-consistency
+
       - name: Run Revive Action by pulling pre-built image
         uses: docker://morphy/revive-action@sha256:087d4e61077087755711ab7e9fae3cc899b7bb07ff8f6a30c3dfb240b1620ae8 #v2.5.7
         with:

.github/workflows/release-oci.yaml

@@ -0,0 +1,27 @@
+name: Release OCI
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'oci/**'
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          fetch-depth: 0
+
+      - name: Release
+        uses: ./.github/actions/release
+        with:
+          module: "oci"

.pre-commit-config.yaml

@@ -26,6 +26,12 @@ repos:
         language: system
         pass_filenames: false
 
+      - id: fmt
+        name: go fmt
+        entry: make fmt
+        language: system
+        pass_filenames: false
+
       - id: lint
         name: go lint
         entry: make lint

Makefile

@@ -18,6 +18,12 @@ fmt:
 fmt-%:
 	cd $(subst :,/,$*); go fmt ./...
 
+check-fmt:
+	$(MAKE) $(addprefix check-fmt-, $(MODULES))
+
+check-fmt-%:
+	cd $(subst :,/,$*); test -z "$$(gofmt -l .)"
+
 vet:
 	$(MAKE) $(addprefix vet-, $(MODULES))
 
@@ -38,3 +44,6 @@ scan:
 
 scan-%:
 	cd $(subst :,/,$*); syft scan . -o json | grype --fail-on low
+
+check-go-version-consistency:
+	hack/check_go_version.sh

README.md

@@ -9,6 +9,7 @@
 | Module | Import | Description |
 | --- | --- | --- |
 | [![GitHub Tag](https://img.shields.io/github/v/tag/defenseunicorns/pkg?sort=date&filter=helpers%2F*&label)](https://pkg.go.dev/github.com/defenseunicorns/pkg/helpers) | `go get github.com/defenseunicorns/pkg/helpers` | Common helper functions for Go. |
+| [![GitHub Tag](https://img.shields.io/github/v/tag/defenseunicorns/pkg?sort=date&filter=oci%2F*&label)](https://pkg.go.dev/github.com/defenseunicorns/pkg/oci) | `go get github.com/defenseunicorns/pkg/oci` | tools for interacting with artifacts stored in OCI registries. |
 
 ## Contributing
 

hack/check_go_version.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+first_version=""
+# Find and iterate over all go.mod files, excluding the vendor directory
+find . -name go.mod | while read -r mod; do
+    current_version=$(grep '^go 1\.' "$mod" | cut -d ' ' -f 2)
+
+    if [[ -z "$first_version" ]]; then
+      first_version=$current_version
+    elif [[ "$current_version" != "$first_version" ]]; then
+      echo "Inconsistency found: $mod uses Go version $current_version, this differs from another found version $first_version."
+      exit 1
+    fi
+done
+
+echo "All modules use the same Go version: $first_version."

internal/release/go.mod

@@ -1,6 +1,6 @@
 module github.com/defenseunicorns/pkg/internal/release
 
-go 1.22.1
+go 1.21.8
 
 require (
 	github.com/Masterminds/semver v1.5.0

internal/release/main.go

@@ -159,14 +159,14 @@ func getCommitMessagesFromLastTag(r *git.Repository, lastTagVersion *semver.Vers
 	var commitsAfterTagOnModule []string
 	err = commitsOnModule.ForEach(func(c *object.Commit) error {
 		for _, commitAfterTag := range commitsAfterTag {
-			if commitAfterTag.Hash == c.Hash{
+			if commitAfterTag.Hash == c.Hash {
 				commitsAfterTagOnModule = append(commitsAfterTagOnModule, c.Message)
 			}
 		}
 		return nil
 	})
 
-	if err != nil{
+	if err != nil {
 		return nil, fmt.Errorf("could not iterate over commits %w", err)
 	}
 

oci/common.go

@@ -0,0 +1,191 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2024-Present Defense Unicorns
+
+// Package oci provides tools for interacting with artifacts stored in OCI registries
+package oci
+
+import (
+	"fmt"
+	"log/slog"
+	"net/http"
+	"strings"
+
+	"github.com/defenseunicorns/pkg/helpers"
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/registry"
+	"oras.land/oras-go/v2/registry/remote"
+	"oras.land/oras-go/v2/registry/remote/auth"
+)
+
+const (
+	// MultiOS is the OS used for multi-platform packages
+	MultiOS = "multi"
+)
+
+// OrasRemote is a wrapper around the Oras remote repository that includes a progress bar for interactive feedback.
+type OrasRemote struct {
+	repo           *remote.Repository
+	root           *Manifest
+	progTransport  *helpers.Transport
+	targetPlatform *ocispec.Platform
+	log            *slog.Logger
+}
+
+// Modifier is a function that modifies an OrasRemote
+type Modifier func(*OrasRemote)
+
+// WithPlainHTTP sets the plain HTTP flag for the remote
+func WithPlainHTTP(plainHTTP bool) Modifier {
+	return func(o *OrasRemote) {
+		o.repo.PlainHTTP = plainHTTP
+	}
+}
+
+// WithInsecureSkipVerify sets the insecure TLS flag for the remote
+func WithInsecureSkipVerify(insecure bool) Modifier {
+	return func(o *OrasRemote) {
+		o.progTransport.Base.(*http.Transport).TLSClientConfig.InsecureSkipVerify = insecure
+	}
+}
+
+// PlatformForArch sets the target architecture for the remote
+func PlatformForArch(arch string) ocispec.Platform {
+	return ocispec.Platform{
+		OS:           MultiOS,
+		Architecture: arch,
+	}
+}
+
+// WithUserAgent sets the user agent for the remote
+func WithUserAgent(userAgent string) Modifier {
+	return func(o *OrasRemote) {
+		o.repo.Client.(*auth.Client).SetUserAgent(userAgent)
+	}
+}
+
+// WithLogger sets the logger for the remote
+func WithLogger(logger *slog.Logger) Modifier {
+	return func(o *OrasRemote) {
+		o.log = logger
+	}
+}
+
+// NewOrasRemote returns an oras remote repository client and context for the given url.
+//
+// Registry auth is handled by the Docker CLI's credential store and checked before returning the client
+func NewOrasRemote(url string, platform ocispec.Platform, mods ...Modifier) (*OrasRemote, error) {
+	ref, err := registry.ParseReference(strings.TrimPrefix(url, helpers.OCIURLPrefix))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse OCI reference %q: %w", url, err)
+	}
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	client := auth.DefaultClient
+	client.Client.Transport = transport
+	o := &OrasRemote{
+		repo:           &remote.Repository{Client: client},
+		progTransport:  helpers.NewTransport(transport, nil),
+		targetPlatform: &platform,
+		log:            slog.Default(),
+	}
+
+	for _, mod := range mods {
+		mod(o)
+	}
+
+	if err := o.setRepository(ref); err != nil {
+		return nil, err
+	}
+
+	return o, nil
+}
+
+// SetProgressWriter sets the progress writer for the remote
+func (o *OrasRemote) SetProgressWriter(bar helpers.ProgressWriter) {
+	o.progTransport.ProgressBar = bar
+	o.repo.Client.(*auth.Client).Client.Transport = o.progTransport
+}
+
+// ClearProgressWriter clears the progress writer for the remote
+func (o *OrasRemote) ClearProgressWriter() {
+	o.progTransport.ProgressBar = nil
+	o.repo.Client.(*auth.Client).Client.Transport = o.progTransport
+}
+
+// Repo gives you access to the underlying remote repository
+func (o *OrasRemote) Repo() *remote.Repository {
+	return o.repo
+}
+
+// Log gives you access to the OrasRemote logger
+func (o *OrasRemote) Log() *slog.Logger {
+	return o.log
+}
+
+// setRepository sets the repository for the remote as well as the auth client.
+func (o *OrasRemote) setRepository(ref registry.Reference) error {
+	o.root = nil
+
+	// patch docker.io to registry-1.docker.io
+	// this allows end users to use docker.io as an alias for registry-1.docker.io
+	if ref.Registry == "docker.io" {
+		ref.Registry = "registry-1.docker.io"
+	}
+	if ref.Registry == "🦄" || ref.Registry == "defenseunicorns" {
+		ref.Registry = "ghcr.io"
+		ref.Repository = "defenseunicorns/packages/" + ref.Repository
+	}
+	client, err := o.createAuthClient(ref)
+	if err != nil {
+		return err
+	}
+
+	o.repo.Reference = ref
+	o.repo.Client = client
+
+	return nil
+}
+
+// createAuthClient returns an auth client for the given reference.
+//
+// The credentials are pulled using Docker's default credential store.
+//
+// TODO: instead of using Docker's cred store, should use the new one from ORAS to remove that dep
+func (o *OrasRemote) createAuthClient(ref registry.Reference) (*auth.Client, error) {
+
+	client := o.repo.Client.(*auth.Client)
+	o.log.Debug(fmt.Sprintf("Loading docker config file from default config location: %s for %s", config.Dir(), ref))
+	cfg, err := config.Load(config.Dir())
+	if err != nil {
+		return nil, err
+	}
+	if !cfg.ContainsAuth() {
+		o.log.Debug("no docker config file found")
+		return client, nil
+	}
+
+	configs := []*configfile.ConfigFile{cfg}
+
+	var key = ref.Registry
+	if key == "registry-1.docker.io" {
+		// Docker stores its credentials under the following key, otherwise credentials use the registry URL
+		key = "https://index.docker.io/v1/"
+	}
+
+	authConf, err := configs[0].GetCredentialsStore(key).Get(key)
+	if err != nil {
+		return nil, fmt.Errorf("unable to get credentials for %s: %w", key, err)
+	}
+
+	cred := auth.Credential{
+		Username:     authConf.Username,
+		Password:     authConf.Password,
+		AccessToken:  authConf.RegistryToken,
+		RefreshToken: authConf.IdentityToken,
+	}
+
+	client.Credential = auth.StaticCredential(ref.Registry, cred)
+
+	return client, nil
+}