diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 630041858..7d0caa905 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,5 +1,5 @@ # DO NOT EDIT THIS FILE MANUALLY! -# Update it with the script generate-dependabot-config/main.py +# Update it with the script generate-dependabot-config/dependabot_config_generator.py version: 2 updates: - package-ecosystem: "github-actions" @@ -15,7 +15,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/lint-golang" + directory: "/awx-run" schedule: interval: "weekly" time: "04:00" @@ -27,7 +27,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/sbom-upload" + directory: "/backport-pull-request" schedule: interval: "weekly" time: "04:00" @@ -39,7 +39,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/download-artifact" + directory: "/checkout" schedule: interval: "weekly" time: "04:00" @@ -51,7 +51,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/checkout" + directory: "/container-build-push-by-digest" schedule: interval: "weekly" time: "04:00" @@ -63,7 +63,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/dependency-review" + directory: "/conventional-commits" schedule: interval: "weekly" time: "04:00" @@ -75,7 +75,19 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/uv" + directory: "/create-multi-arch-container-image" + schedule: + interval: "weekly" + time: "04:00" + commit-message: + prefix: "Deps" + groups: + dependencies: + patterns: + - "*" + + - package-ecosystem: "github-actions" + directory: "/dependency-review" schedule: interval: "weekly" time: "04:00" @@ -99,7 +111,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/conventional-commits" + directory: "/doc-coverage-clang" schedule: interval: "weekly" time: "04:00" @@ -111,7 +123,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/is-latest-tag" + directory: "/download-artifact" schedule: interval: "weekly" time: "04:00" @@ -123,7 +135,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/oci-info" + directory: "/download-digest" schedule: interval: "weekly" time: "04:00" @@ -135,7 +147,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/backport-pull-request" + directory: "/generate-dependabot-config" schedule: interval: "weekly" time: "04:00" @@ -147,7 +159,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/doc-coverage-clang" + directory: "/helm-version-upgrade" schedule: interval: "weekly" time: "04:00" @@ -159,7 +171,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/release-version" + directory: "/install-cgreen" schedule: interval: "weekly" time: "04:00" @@ -171,7 +183,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/awx-run" + directory: "/is-latest-tag" schedule: interval: "weekly" time: "04:00" @@ -183,7 +195,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/setup-pontos" + directory: "/lint-golang" schedule: interval: "weekly" time: "04:00" @@ -195,7 +207,31 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/signature" + directory: "/mattermost-notify" + schedule: + interval: "weekly" + time: "04:00" + commit-message: + prefix: "Deps" + groups: + dependencies: + patterns: + - "*" + + - package-ecosystem: "github-actions" + directory: "/oci-info" + schedule: + interval: "weekly" + time: "04:00" + commit-message: + prefix: "Deps" + groups: + dependencies: + patterns: + - "*" + + - package-ecosystem: "github-actions" + directory: "/pipx" schedule: interval: "weekly" time: "04:00" @@ -219,7 +255,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/mattermost-notify" + directory: "/release-assets" schedule: interval: "weekly" time: "04:00" @@ -231,7 +267,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/sign-release-files" + directory: "/release-type" schedule: interval: "weekly" time: "04:00" @@ -243,7 +279,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/helm-version-upgrade" + directory: "/release-version" schedule: interval: "weekly" time: "04:00" @@ -255,7 +291,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/trigger-workflow" + directory: "/sbom-upload" schedule: interval: "weekly" time: "04:00" @@ -267,7 +303,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/install-cgreen" + directory: "/setup-pontos" schedule: interval: "weekly" time: "04:00" @@ -279,7 +315,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/release-assets" + directory: "/sign-release-files" schedule: interval: "weekly" time: "04:00" @@ -291,7 +327,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/release-type" + directory: "/sign-win-binary" schedule: interval: "weekly" time: "04:00" @@ -303,7 +339,31 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/pipx" + directory: "/signature" + schedule: + interval: "weekly" + time: "04:00" + commit-message: + prefix: "Deps" + groups: + dependencies: + patterns: + - "*" + + - package-ecosystem: "github-actions" + directory: "/trigger-harbor-replication" + schedule: + interval: "weekly" + time: "04:00" + commit-message: + prefix: "Deps" + groups: + dependencies: + patterns: + - "*" + + - package-ecosystem: "github-actions" + directory: "/trigger-workflow" schedule: interval: "weekly" time: "04:00" @@ -315,7 +375,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/release-assets_tests" + directory: "/upload-digest" schedule: interval: "weekly" time: "04:00" @@ -326,20 +386,29 @@ updates: patterns: - "*" + - package-ecosystem: "github-actions" + directory: "/uv" + schedule: + interval: "weekly" + time: "04:00" + commit-message: + prefix: "Deps" + groups: + dependencies: + patterns: + - "*" - package-ecosystem: pip directories: - - "/download-artifact/" - - "/conventional-commits/" - - "/oci-info/" - "/backport-pull-request/" + - "/conventional-commits/" + - "/download-artifact/" - "/generate-dependabot-config/" - - "/pr-conventional-commit-labeler/" - "/helm-version-upgrade/" - - "/trigger-workflow/" + - "/oci-info/" + - "/pr-conventional-commit-labeler/" - "/release-assets/" - - "/release-assets_tests/" - - "/test-python-project/" + - "/trigger-workflow/" schedule: interval: "weekly" time: "04:00" diff --git a/docker-client-tls-login/README.md b/docker-client-tls-login/README.md new file mode 100644 index 000000000..3a9d24c8d --- /dev/null +++ b/docker-client-tls-login/README.md @@ -0,0 +1,54 @@ +# Docker TLS Certificate Login Action + +This GitHub Action configures Docker to use client TLS certificates for secure registry authentication (mutual TLS). + +## Example Usage + +```yaml +name: Docker TLS Login + +on: + workflow_dispatch: + +jobs: + docker-operations: + name: Docker Operations with TLS + runs-on: ubuntu-latest + steps: + - name: Setup Docker TLS Certificates + uses: greenbone/actions/docker-client-tls-login@v1.0.0 + with: + registry-url: packages.greenbone.net + client-cert: ${{ secrets.GREENBONE_CLIENT_CERT }} + client-key: ${{ secrets.GREENBONE_CLIENT_KEY }} + # Optional: ca-cert if not using system CA bundle + # ca-cert: ${{ secrets.GREENBONE_CA_CERT }} + debug: 'true' + + - name: Login to Greenbone Registry (Read-Only) + uses: docker/login-action@v3 + with: + registry: packages.greenbone.net + username: ${{ secrets.GREENBONE_REGISTRY_READ_USER }} + password: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }} + + - name: Pull Docker image + run: | + docker pull packages.greenbone.net/opensight/opensight-postgres:17.5.3@sha256:2e28556d0dceec5880f2104e35db6002d64d6e7e756e7fbf2b618d4d660f0d31 +``` + +## Inputs + +| Input Variable | Description | Required | Default | +|----------------|---------------------------------------|----------|-----------| +| registry-url | Docker registry URL | Yes | | +| client-cert | Base64-encoded client certificate | Yes | | +| client-key | Base64-encoded client private key | Yes | | +| ca-cert | Base64-encoded CA certificate | No | '' | +| debug | Enable debug output (true/false) | No | 'false' | + +## Outputs + +| Output Variable | Description | +|-----------------|---------------------------------------| +| cert-directory | Path to the Docker certificate directory | diff --git a/docker-client-tls-login/action.yml b/docker-client-tls-login/action.yml new file mode 100644 index 000000000..2c074dc79 --- /dev/null +++ b/docker-client-tls-login/action.yml @@ -0,0 +1,76 @@ +name: 'Docker TLS Certificate Login' +description: 'Login to Docker registry using TLS client certificates for mutual authentication' + +inputs: + registry-url: + description: 'Docker registry URL (e.g., registry.example.com)' + required: true + client-cert: + description: 'Base64-encoded client certificate (PEM format)' + required: true + client-key: + description: 'Base64-encoded client private key (PEM format)' + required: true + ca-cert: + description: 'Base64-encoded CA certificate (PEM format). Optional if using system CA bundle.' + required: false + default: '' + debug: + description: 'Enable debug output (true/false)' + required: false + default: 'false' + +outputs: + cert-directory: + description: 'Path to the Docker certificate directory' + value: ${{ steps.setup.outputs.cert-directory }} + +runs: + using: 'composite' + steps: + - name: 'Setup Docker TLS Certificates' + id: setup + shell: bash + run: | + # Setup certificate directory + CERT_DIR=/etc/.docker/certs.d/${{ inputs.registry-url }} + sudo mkdir -p "$CERT_DIR" + + # Install certificates + echo "${{ inputs.client-cert }}" | sudo tee "$CERT_DIR/client.cert" + echo "${{ inputs.client-key }}" | sudo tee "$CERT_DIR/client.key" + #chmod 644 "$CERT_DIR/client.cert" + #chmod 600 "$CERT_DIR/client.key" + + # Install CA certificate if provided + if [[ -n "${{ inputs.ca-cert }}" ]]; then + echo "${{ inputs.ca-cert }}" > "$CERT_DIR/ca.cert" + chmod 644 "$CERT_DIR/ca.cert" + fi + + # Verify certificate and key match + CERT_MODULUS=$(openssl x509 -noout -modulus -in "$CERT_DIR/client.cert") + KEY_MODULUS=$(openssl rsa -noout -modulus -in "$CERT_DIR/client.key") + if [[ "$CERT_MODULUS" != "$KEY_MODULUS" ]]; then + echo "Error: Certificate and private key do not match" + exit 1 + fi + + echo "cert-directory=$CERT_DIR" >> $GITHUB_OUTPUT + echo "Docker TLS certificates written to: $CERT_DIR" + + if [[ "${{ inputs.debug }}" == "true" ]]; then + echo "--- Certificate Details ---" + openssl x509 -in "$CERT_DIR/client.cert" -noout -subject -dates + ls -la "$CERT_DIR/" + fi + + echo "Restarting Docker to reload TLS certs..." + sudo systemctl restart docker + sleep 5 + if systemctl is-active --quiet docker; then + echo "Docker daemon restarted successfully." + else + echo "Docker daemon failed to restart after cert insertion." + exit 1 + fi