From 7310c9a716eb05dd3f943462a45601a5e7b608f9 Mon Sep 17 00:00:00 2001 From: Eben Asamoah <77969078+easamoah7@users.noreply.github.com> Date: Mon, 22 Sep 2025 16:27:03 +0200 Subject: [PATCH 01/18] Add: Create action.yml --- docker-client-tls-login/action.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 docker-client-tls-login/action.yml diff --git a/docker-client-tls-login/action.yml b/docker-client-tls-login/action.yml new file mode 100644 index 000000000..8b1378917 --- /dev/null +++ b/docker-client-tls-login/action.yml @@ -0,0 +1 @@ + From b2c554271511c374d9b8c228fc6fcf3f29ed8ddc Mon Sep 17 00:00:00 2001 From: Eben Asamoah <77969078+easamoah7@users.noreply.github.com> Date: Mon, 22 Sep 2025 16:28:06 +0200 Subject: [PATCH 02/18] Add: Create README.md --- docker-client-tls-login/README.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 docker-client-tls-login/README.md diff --git a/docker-client-tls-login/README.md b/docker-client-tls-login/README.md new file mode 100644 index 000000000..8b1378917 --- /dev/null +++ b/docker-client-tls-login/README.md @@ -0,0 +1 @@ + From d7544bf4d0f83e2f237351fbdb0f444934948ca1 Mon Sep 17 00:00:00 2001 From: Eben Asamoah <77969078+easamoah7@users.noreply.github.com> Date: Mon, 22 Sep 2025 16:30:42 +0200 Subject: [PATCH 03/18] Add: Update action.yml --- docker-client-tls-login/action.yml | 98 ++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) diff --git a/docker-client-tls-login/action.yml b/docker-client-tls-login/action.yml index 8b1378917..4a9c8b6be 100644 --- a/docker-client-tls-login/action.yml +++ b/docker-client-tls-login/action.yml @@ -1 +1,99 @@ +name: 'Docker Login with Client TLS Certificates' +description: 'Configure Docker to use client TLS certificates for mutual authentication' +inputs: + registry: + description: 'Docker registry URL' + required: true + default: 'https://packages.greenbone.net' + client-cert: + description: 'Client certificate (PEM format, may include certificate chain)' + required: true + client-key: + description: 'Client private key (PEM format)' + required: true + ca-cert: + description: 'CA certificate (PEM format). Optional if client-cert contains full chain' + required: false + logout: + description: 'Clean up certificates at the end of the job' + required: false + default: 'true' + +outputs: + registry: + description: 'Registry that was configured' + value: ${{ steps.set-output.outputs.registry }} + +runs: + using: 'composite' + steps: + - name: Setup TLS certificate files + shell: bash + run: | + CERT_DIR=$(mktemp -d) + echo "CERT_DIR=$CERT_DIR" >> $GITHUB_ENV + chmod 700 "$CERT_DIR" + + echo "${{ inputs.client-cert }}" > "$CERT_DIR/client.crt" + echo "${{ inputs.client-key }}" > "$CERT_DIR/client.key" + chmod 600 "$CERT_DIR"/* + + if [[ -n "${{ inputs.ca-cert }}" ]]; then + echo "${{ inputs.ca-cert }}" > "$CERT_DIR/ca.crt" + chmod 600 "$CERT_DIR/ca.crt" + echo "CA_CERT_PATH=$CERT_DIR/ca.crt" >> $GITHUB_ENV + fi + + echo "CLIENT_CERT_PATH=$CERT_DIR/client.crt" >> $GITHUB_ENV + echo "CLIENT_KEY_PATH=$CERT_DIR/client.key" >> $GITHUB_ENV + + - name: Configure Docker for TLS client authentication + shell: bash + run: | + DOCKER_CONFIG_DIR="$HOME/.docker" + mkdir -p "$DOCKER_CONFIG_DIR" + + REGISTRY_HOST="${{ inputs.registry }}" + REGISTRY_HOST=${REGISTRY_HOST#http*://} + REGISTRY_HOST=${REGISTRY_HOST%/*} + echo "REGISTRY_HOST=$REGISTRY_HOST" >> $GITHUB_ENV + + mkdir -p "$DOCKER_CONFIG_DIR/certs.d/$REGISTRY_HOST" + cp "$CLIENT_CERT_PATH" "$DOCKER_CONFIG_DIR/certs.d/$REGISTRY_HOST/client.cert" + cp "$CLIENT_KEY_PATH" "$DOCKER_CONFIG_DIR/certs.d/$REGISTRY_HOST/client.key" + [[ -n "${CA_CERT_PATH:-}" ]] && cp "$CA_CERT_PATH" "$DOCKER_CONFIG_DIR/certs.d/$REGISTRY_HOST/ca.crt" + + chmod 600 "$DOCKER_CONFIG_DIR/certs.d/$REGISTRY_HOST/"* + + - name: Test registry connectivity + shell: bash + run: | + REGISTRY_URL="${{ inputs.registry }}" + [[ ! "$REGISTRY_URL" =~ ^https?:// ]] && REGISTRY_URL="https://$REGISTRY_URL" + + CURL_OPTS="--cert $CLIENT_CERT_PATH --key $CLIENT_KEY_PATH" + [[ -n "${CA_CERT_PATH:-}" ]] && CURL_OPTS="$CURL_OPTS --cacert $CA_CERT_PATH" + + echo "Testing connectivity to $REGISTRY_URL/v2/..." + HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" $CURL_OPTS "$REGISTRY_URL/v2/" || echo "000") + echo "Registry responded with HTTP $HTTP_CODE" + + if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "401" ]]; then + echo "Registry connectivity failed (HTTP $HTTP_CODE)" + echo "Expected HTTP 200 (success) or 401 (auth required)" + exit 1 + else + echo "Registry connectivity successful" + fi + + - name: Set output + id: set-output + shell: bash + run: echo "registry=$REGISTRY_HOST" >> $GITHUB_OUTPUT + + - name: Cleanup certificates (if logout enabled) + if: inputs.logout == 'true' + shell: bash + run: | + [[ -n "${CERT_DIR:-}" && -d "$CERT_DIR" ]] && rm -rf "$CERT_DIR" From facc4f1e1dd65c33f88eaa6007a13b8628e3d64a Mon Sep 17 00:00:00 2001 From: Eben Asamoah <77969078+easamoah7@users.noreply.github.com> Date: Mon, 22 Sep 2025 16:39:26 +0200 Subject: [PATCH 04/18] Add: Update README.md --- docker-client-tls-login/README.md | 34 +++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/docker-client-tls-login/README.md b/docker-client-tls-login/README.md index 8b1378917..ea4553b92 100644 --- a/docker-client-tls-login/README.md +++ b/docker-client-tls-login/README.md @@ -1 +1,35 @@ +# Docker CLIENT TLS Login +GitHub Action to configure Docker with client TLS certificates for registry authentication. + +## Example + +```yml +name: Docker TLS Login + +on: + workflow_dispatch: + +jobs: + docker-operations: + name: Docker Operations with TLS + runs-on: ubuntu-latest + steps: + - uses: greenbone/actions/docker-client-tls-login@v1 + with: + client-cert: ${{ secrets.GREENBONE_CLIENT_CERT }} + client-key: ${{ secrets.GREENBONE_CLIENT_KEY }} + - name: Pull Docker image + run: | + docker pull packages.greenbone.net/gvm/gvmd:latest +``` + +## Action Configuration + +| Input Variable | Description | | +|----------------|-----------------------------------------------------------------------|--------------------------------------| +| registry | Docker registry URL | Optional: (Default is `"packages.greenbone.net"`) | +| client-cert | Client certificate in PEM format | | +| client-key | Client private key in PEM format | | +| ca-cert | CA certificate in PEM format | Optional | +| logout | Clean up certificates at the end of the job | Optional: (Default is `true`) | From 1217e06eabb21ebcab3d87f64335b14383756659 Mon Sep 17 00:00:00 2001 From: Eben Asamoah <77969078+easamoah7@users.noreply.github.com> Date: Mon, 22 Sep 2025 16:44:39 +0200 Subject: [PATCH 05/18] Fix: Add toUpdate README.md --- docker-client-tls-login/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-client-tls-login/README.md b/docker-client-tls-login/README.md index ea4553b92..921b38f67 100644 --- a/docker-client-tls-login/README.md +++ b/docker-client-tls-login/README.md @@ -21,7 +21,7 @@ jobs: client-key: ${{ secrets.GREENBONE_CLIENT_KEY }} - name: Pull Docker image run: | - docker pull packages.greenbone.net/gvm/gvmd:latest + docker pull packages.greenbone.net/some-greenbone-image:latest ``` ## Action Configuration From f61bf901142ae1f79cb1993770a88e3a9a425cf0 Mon Sep 17 00:00:00 2001 From: Eben Asamoah <77969078+easamoah7@users.noreply.github.com> Date: Tue, 23 Sep 2025 14:23:05 +0200 Subject: [PATCH 06/18] Add: Add logic for action based on env variables --- docker-client-tls-login/action.yml | 118 +++++++++++++++-------------- 1 file changed, 61 insertions(+), 57 deletions(-) diff --git a/docker-client-tls-login/action.yml b/docker-client-tls-login/action.yml index 4a9c8b6be..1290b0a79 100644 --- a/docker-client-tls-login/action.yml +++ b/docker-client-tls-login/action.yml @@ -6,15 +6,6 @@ inputs: description: 'Docker registry URL' required: true default: 'https://packages.greenbone.net' - client-cert: - description: 'Client certificate (PEM format, may include certificate chain)' - required: true - client-key: - description: 'Client private key (PEM format)' - required: true - ca-cert: - description: 'CA certificate (PEM format). Optional if client-cert contains full chain' - required: false logout: description: 'Clean up certificates at the end of the job' required: false @@ -28,63 +19,76 @@ outputs: runs: using: 'composite' steps: - - name: Setup TLS certificate files - shell: bash - run: | - CERT_DIR=$(mktemp -d) - echo "CERT_DIR=$CERT_DIR" >> $GITHUB_ENV - chmod 700 "$CERT_DIR" - - echo "${{ inputs.client-cert }}" > "$CERT_DIR/client.crt" - echo "${{ inputs.client-key }}" > "$CERT_DIR/client.key" - chmod 600 "$CERT_DIR"/* - - if [[ -n "${{ inputs.ca-cert }}" ]]; then - echo "${{ inputs.ca-cert }}" > "$CERT_DIR/ca.crt" - chmod 600 "$CERT_DIR/ca.crt" - echo "CA_CERT_PATH=$CERT_DIR/ca.crt" >> $GITHUB_ENV - fi - - echo "CLIENT_CERT_PATH=$CERT_DIR/client.crt" >> $GITHUB_ENV - echo "CLIENT_KEY_PATH=$CERT_DIR/client.key" >> $GITHUB_ENV - - - name: Configure Docker for TLS client authentication + - name: Configure Docker TLS and Login shell: bash run: | DOCKER_CONFIG_DIR="$HOME/.docker" - mkdir -p "$DOCKER_CONFIG_DIR" - REGISTRY_HOST="${{ inputs.registry }}" REGISTRY_HOST=${REGISTRY_HOST#http*://} REGISTRY_HOST=${REGISTRY_HOST%/*} echo "REGISTRY_HOST=$REGISTRY_HOST" >> $GITHUB_ENV - - mkdir -p "$DOCKER_CONFIG_DIR/certs.d/$REGISTRY_HOST" - cp "$CLIENT_CERT_PATH" "$DOCKER_CONFIG_DIR/certs.d/$REGISTRY_HOST/client.cert" - cp "$CLIENT_KEY_PATH" "$DOCKER_CONFIG_DIR/certs.d/$REGISTRY_HOST/client.key" - [[ -n "${CA_CERT_PATH:-}" ]] && cp "$CA_CERT_PATH" "$DOCKER_CONFIG_DIR/certs.d/$REGISTRY_HOST/ca.crt" - - chmod 600 "$DOCKER_CONFIG_DIR/certs.d/$REGISTRY_HOST/"* - - - name: Test registry connectivity - shell: bash - run: | - REGISTRY_URL="${{ inputs.registry }}" - [[ ! "$REGISTRY_URL" =~ ^https?:// ]] && REGISTRY_URL="https://$REGISTRY_URL" - - CURL_OPTS="--cert $CLIENT_CERT_PATH --key $CLIENT_KEY_PATH" - [[ -n "${CA_CERT_PATH:-}" ]] && CURL_OPTS="$CURL_OPTS --cacert $CA_CERT_PATH" - - echo "Testing connectivity to $REGISTRY_URL/v2/..." - HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" $CURL_OPTS "$REGISTRY_URL/v2/" || echo "000") - echo "Registry responded with HTTP $HTTP_CODE" - if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "401" ]]; then - echo "Registry connectivity failed (HTTP $HTTP_CODE)" - echo "Expected HTTP 200 (success) or 401 (auth required)" + CERT_DIR="$DOCKER_CONFIG_DIR/certs.d/$REGISTRY_HOST" + mkdir -p "$CERT_DIR" + echo "DOCKER_CERT_DIR=$CERT_DIR" >> $GITHUB_ENV + + # Check for required environment variables + if [[ -z "${GREENBONE_CLIENT_CERT:-}" ]]; then + echo "ERROR: GREENBONE_CLIENT_CERT environment variable is required" exit 1 + fi + + if [[ -z "${GREENBONE_CLIENT_KEY:-}" ]]; then + echo "ERROR: GREENBONE_CLIENT_KEY environment variable is required" + exit 1 + fi + + # Write certificates from environment variables + echo "$GREENBONE_CLIENT_CERT" > "$CERT_DIR/client.cert" + echo "$GREENBONE_CLIENT_KEY" > "$CERT_DIR/client.key" + + # Handle CA certificate - use provided or extract from client cert + if [[ -n "${GREENBONE_CA_CERT:-}" ]]; then + echo "$GREENBONE_CA_CERT" > "$CERT_DIR/ca.crt" + else + # Extract CA certificate from client certificate chain if it contains multiple certs + CERT_COUNT=$(grep -c "BEGIN CERTIFICATE" "$CERT_DIR/client.cert" || echo "1") + if [[ "$CERT_COUNT" -gt 1 ]]; then + echo "Extracting CA certificate from client certificate chain..." + # Extract the last certificate in the chain (should be the CA) + tail -n +$(grep -n "BEGIN CERTIFICATE" "$CERT_DIR/client.cert" | tail -1 | cut -d: -f1) "$CERT_DIR/client.cert" > "$CERT_DIR/ca.crt" + else + # If only one certificate, use it as both client and CA (self-signed case) + echo "Using client certificate as CA certificate..." + cp "$CERT_DIR/client.cert" "$CERT_DIR/ca.crt" + fi + fi + + chmod 600 "$CERT_DIR"/* + + # List certificate files for debugging + echo "Certificate files created:" + ls -la "$CERT_DIR/" + + # Test Docker connectivity and perform login in the same context + echo "Testing Docker connectivity to $REGISTRY_HOST..." + if docker info >/dev/null 2>&1; then + echo "Docker daemon is running" + + # Perform login if credentials provided via environment variables + if [[ -n "${GREENBONE_REGISTRY_USER:-}" ]] && [[ -n "${GREENBONE_REGISTRY_TOKEN:-}" ]]; then + echo "Performing docker login with provided credentials..." + echo "Registry: $REGISTRY_HOST" + echo "Username: $GREENBONE_REGISTRY_USER" + echo "$GREENBONE_REGISTRY_TOKEN" | docker login "$REGISTRY_HOST" --username "$GREENBONE_REGISTRY_USER" --password-stdin + else + echo "No basic auth credentials provided - using certificate-only authentication" + echo "Attempting to test registry access with certificates only..." + # Test if certificates alone are sufficient + docker pull $REGISTRY_HOST/hello-world:latest 2>/dev/null || echo "Certificate-only authentication failed - basic auth may be required" + fi else - echo "Registry connectivity successful" + echo "Warning: Docker daemon not accessible" fi - name: Set output @@ -96,4 +100,4 @@ runs: if: inputs.logout == 'true' shell: bash run: | - [[ -n "${CERT_DIR:-}" && -d "$CERT_DIR" ]] && rm -rf "$CERT_DIR" + [[ -n "${DOCKER_CERT_DIR:-}" && -d "$DOCKER_CERT_DIR" ]] && rm -rf "$DOCKER_CERT_DIR" From 336a7b460069f355ac4278b731120ac8734c674f Mon Sep 17 00:00:00 2001 From: easamoah7 <77969078+easamoah7@users.noreply.github.com> Date: Tue, 23 Sep 2025 12:23:42 +0000 Subject: [PATCH 07/18] [skip ci] Update dependabot config --- .github/dependabot.yml | 133 +++++++++++++++++++++++++++++++---------- 1 file changed, 101 insertions(+), 32 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 630041858..7d0caa905 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,5 +1,5 @@ # DO NOT EDIT THIS FILE MANUALLY! -# Update it with the script generate-dependabot-config/main.py +# Update it with the script generate-dependabot-config/dependabot_config_generator.py version: 2 updates: - package-ecosystem: "github-actions" @@ -15,7 +15,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/lint-golang" + directory: "/awx-run" schedule: interval: "weekly" time: "04:00" @@ -27,7 +27,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/sbom-upload" + directory: "/backport-pull-request" schedule: interval: "weekly" time: "04:00" @@ -39,7 +39,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/download-artifact" + directory: "/checkout" schedule: interval: "weekly" time: "04:00" @@ -51,7 +51,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/checkout" + directory: "/container-build-push-by-digest" schedule: interval: "weekly" time: "04:00" @@ -63,7 +63,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/dependency-review" + directory: "/conventional-commits" schedule: interval: "weekly" time: "04:00" @@ -75,7 +75,19 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/uv" + directory: "/create-multi-arch-container-image" + schedule: + interval: "weekly" + time: "04:00" + commit-message: + prefix: "Deps" + groups: + dependencies: + patterns: + - "*" + + - package-ecosystem: "github-actions" + directory: "/dependency-review" schedule: interval: "weekly" time: "04:00" @@ -99,7 +111,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/conventional-commits" + directory: "/doc-coverage-clang" schedule: interval: "weekly" time: "04:00" @@ -111,7 +123,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/is-latest-tag" + directory: "/download-artifact" schedule: interval: "weekly" time: "04:00" @@ -123,7 +135,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/oci-info" + directory: "/download-digest" schedule: interval: "weekly" time: "04:00" @@ -135,7 +147,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/backport-pull-request" + directory: "/generate-dependabot-config" schedule: interval: "weekly" time: "04:00" @@ -147,7 +159,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/doc-coverage-clang" + directory: "/helm-version-upgrade" schedule: interval: "weekly" time: "04:00" @@ -159,7 +171,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/release-version" + directory: "/install-cgreen" schedule: interval: "weekly" time: "04:00" @@ -171,7 +183,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/awx-run" + directory: "/is-latest-tag" schedule: interval: "weekly" time: "04:00" @@ -183,7 +195,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/setup-pontos" + directory: "/lint-golang" schedule: interval: "weekly" time: "04:00" @@ -195,7 +207,31 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/signature" + directory: "/mattermost-notify" + schedule: + interval: "weekly" + time: "04:00" + commit-message: + prefix: "Deps" + groups: + dependencies: + patterns: + - "*" + + - package-ecosystem: "github-actions" + directory: "/oci-info" + schedule: + interval: "weekly" + time: "04:00" + commit-message: + prefix: "Deps" + groups: + dependencies: + patterns: + - "*" + + - package-ecosystem: "github-actions" + directory: "/pipx" schedule: interval: "weekly" time: "04:00" @@ -219,7 +255,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/mattermost-notify" + directory: "/release-assets" schedule: interval: "weekly" time: "04:00" @@ -231,7 +267,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/sign-release-files" + directory: "/release-type" schedule: interval: "weekly" time: "04:00" @@ -243,7 +279,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/helm-version-upgrade" + directory: "/release-version" schedule: interval: "weekly" time: "04:00" @@ -255,7 +291,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/trigger-workflow" + directory: "/sbom-upload" schedule: interval: "weekly" time: "04:00" @@ -267,7 +303,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/install-cgreen" + directory: "/setup-pontos" schedule: interval: "weekly" time: "04:00" @@ -279,7 +315,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/release-assets" + directory: "/sign-release-files" schedule: interval: "weekly" time: "04:00" @@ -291,7 +327,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/release-type" + directory: "/sign-win-binary" schedule: interval: "weekly" time: "04:00" @@ -303,7 +339,31 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/pipx" + directory: "/signature" + schedule: + interval: "weekly" + time: "04:00" + commit-message: + prefix: "Deps" + groups: + dependencies: + patterns: + - "*" + + - package-ecosystem: "github-actions" + directory: "/trigger-harbor-replication" + schedule: + interval: "weekly" + time: "04:00" + commit-message: + prefix: "Deps" + groups: + dependencies: + patterns: + - "*" + + - package-ecosystem: "github-actions" + directory: "/trigger-workflow" schedule: interval: "weekly" time: "04:00" @@ -315,7 +375,7 @@ updates: - "*" - package-ecosystem: "github-actions" - directory: "/release-assets_tests" + directory: "/upload-digest" schedule: interval: "weekly" time: "04:00" @@ -326,20 +386,29 @@ updates: patterns: - "*" + - package-ecosystem: "github-actions" + directory: "/uv" + schedule: + interval: "weekly" + time: "04:00" + commit-message: + prefix: "Deps" + groups: + dependencies: + patterns: + - "*" - package-ecosystem: pip directories: - - "/download-artifact/" - - "/conventional-commits/" - - "/oci-info/" - "/backport-pull-request/" + - "/conventional-commits/" + - "/download-artifact/" - "/generate-dependabot-config/" - - "/pr-conventional-commit-labeler/" - "/helm-version-upgrade/" - - "/trigger-workflow/" + - "/oci-info/" + - "/pr-conventional-commit-labeler/" - "/release-assets/" - - "/release-assets_tests/" - - "/test-python-project/" + - "/trigger-workflow/" schedule: interval: "weekly" time: "04:00" From d28af6c3df75b01f227ab2fd824ea167a7a57db0 Mon Sep 17 00:00:00 2001 From: Eben Asamoah <77969078+easamoah7@users.noreply.github.com> Date: Tue, 23 Sep 2025 14:32:57 +0200 Subject: [PATCH 08/18] Add: change README.md --- docker-client-tls-login/README.md | 39 +++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 12 deletions(-) diff --git a/docker-client-tls-login/README.md b/docker-client-tls-login/README.md index 921b38f67..f2208c7f4 100644 --- a/docker-client-tls-login/README.md +++ b/docker-client-tls-login/README.md @@ -1,10 +1,10 @@ -# Docker CLIENT TLS Login +# Docker Client TLS Login GitHub Action to configure Docker with client TLS certificates for registry authentication. ## Example -```yml +```yaml name: Docker TLS Login on: @@ -15,10 +15,16 @@ jobs: name: Docker Operations with TLS runs-on: ubuntu-latest steps: - - uses: greenbone/actions/docker-client-tls-login@v1 + - name: Login to Greenbone Registry + uses: greenbone/actions/docker-client-tls-login@v1 with: - client-cert: ${{ secrets.GREENBONE_CLIENT_CERT }} - client-key: ${{ secrets.GREENBONE_CLIENT_KEY }} + registry: packages.greenbone.net + env: + GREENBONE_CLIENT_CERT: ${{ secrets.GREENBONE_CLIENT_CERT }} + GREENBONE_CLIENT_KEY: ${{ secrets.GREENBONE_CLIENT_KEY }} + GREENBONE_REGISTRY_USER: ${{ secrets.GREENBONE_REGISTRY_USER }} + GREENBONE_REGISTRY_TOKEN: ${{ secrets.GREENBONE_REGISTRY_TOKEN }} + - name: Pull Docker image run: | docker pull packages.greenbone.net/some-greenbone-image:latest @@ -26,10 +32,19 @@ jobs: ## Action Configuration -| Input Variable | Description | | -|----------------|-----------------------------------------------------------------------|--------------------------------------| -| registry | Docker registry URL | Optional: (Default is `"packages.greenbone.net"`) | -| client-cert | Client certificate in PEM format | | -| client-key | Client private key in PEM format | | -| ca-cert | CA certificate in PEM format | Optional | -| logout | Clean up certificates at the end of the job | Optional: (Default is `true`) | +### Inputs + +| Input Variable | Description | Required | Default | +|----------------|---------------------------------------|----------|----------------------------| +| registry | Docker registry URL | No | `packages.greenbone.net` | +| logout | Clean up certificates at end of job | No | `true` | + +### Environment Variables + +| Environment Variable | Description | Required | +|---------------------------|---------------------------------------|----------| +| GREENBONE_CLIENT_CERT | Client certificate in PEM format | Yes | +| GREENBONE_CLIENT_KEY | Client private key in PEM format | Yes | +| GREENBONE_CA_CERT | CA certificate in PEM format | No | +| GREENBONE_REGISTRY_USER | Username for basic authentication | No | +| GREENBONE_REGISTRY_TOKEN | Password/token for basic auth | No | From d141d016e6f7969480fdfa468f5ef61599b86abf Mon Sep 17 00:00:00 2001 From: Eben Asamoah <77969078+easamoah7@users.noreply.github.com> Date: Tue, 30 Sep 2025 17:22:03 +0200 Subject: [PATCH 09/18] Add: new logic --- docker-client-tls-login/action.yml | 127 +++++++++++------------------ 1 file changed, 46 insertions(+), 81 deletions(-) diff --git a/docker-client-tls-login/action.yml b/docker-client-tls-login/action.yml index 1290b0a79..87eb97d81 100644 --- a/docker-client-tls-login/action.yml +++ b/docker-client-tls-login/action.yml @@ -1,103 +1,68 @@ -name: 'Docker Login with Client TLS Certificates' -description: 'Configure Docker to use client TLS certificates for mutual authentication' +name: 'Docker TLS Certificate Login' +description: 'Login to Docker registry using TLS client certificates for mutual authentication' inputs: - registry: - description: 'Docker registry URL' + registry-url: + description: 'Docker registry URL (e.g., registry.example.com)' required: true - default: 'https://packages.greenbone.net' - logout: - description: 'Clean up certificates at the end of the job' + client-cert: + description: 'Base64-encoded client certificate (PEM format)' + required: true + client-key: + description: 'Base64-encoded client private key (PEM format)' + required: true + ca-cert: + description: 'Base64-encoded CA certificate (PEM format). Optional if using system CA bundle.' required: false - default: 'true' + default: '' + debug: + description: 'Enable debug output (true/false)' + required: false + default: 'false' outputs: - registry: - description: 'Registry that was configured' - value: ${{ steps.set-output.outputs.registry }} + cert-directory: + description: 'Path to the Docker certificate directory' + value: ${{ steps.setup.outputs.cert-directory }} runs: using: 'composite' steps: - - name: Configure Docker TLS and Login + - name: 'Setup Docker TLS Certificates' + id: setup shell: bash run: | - DOCKER_CONFIG_DIR="$HOME/.docker" - REGISTRY_HOST="${{ inputs.registry }}" - REGISTRY_HOST=${REGISTRY_HOST#http*://} - REGISTRY_HOST=${REGISTRY_HOST%/*} - echo "REGISTRY_HOST=$REGISTRY_HOST" >> $GITHUB_ENV - - CERT_DIR="$DOCKER_CONFIG_DIR/certs.d/$REGISTRY_HOST" + # Setup certificate directory + REGISTRY_URL="${{ inputs.registry-url }}" + CERT_DIR="$HOME/.docker/certs.d/$REGISTRY_URL" mkdir -p "$CERT_DIR" - echo "DOCKER_CERT_DIR=$CERT_DIR" >> $GITHUB_ENV - # Check for required environment variables - if [[ -z "${GREENBONE_CLIENT_CERT:-}" ]]; then - echo "ERROR: GREENBONE_CLIENT_CERT environment variable is required" - exit 1 + # Install certificates + echo "${{ inputs.client-cert }}" | base64 -d > "$CERT_DIR/client.cert" + echo "${{ inputs.client-key }}" | base64 -d > "$CERT_DIR/client.key" + chmod 644 "$CERT_DIR/client.cert" + chmod 600 "$CERT_DIR/client.key" + + # Install CA certificate if provided + if [[ -n "${{ inputs.ca-cert }}" ]]; then + echo "${{ inputs.ca-cert }}" | base64 -d > "$CERT_DIR/ca.cert" + chmod 644 "$CERT_DIR/ca.cert" fi - if [[ -z "${GREENBONE_CLIENT_KEY:-}" ]]; then - echo "ERROR: GREENBONE_CLIENT_KEY environment variable is required" + # Verify certificate and key match + CERT_MODULUS=$(openssl x509 -noout -modulus -in "$CERT_DIR/client.cert") + KEY_MODULUS=$(openssl rsa -noout -modulus -in "$CERT_DIR/client.key") + if [[ "$CERT_MODULUS" != "$KEY_MODULUS" ]]; then + echo "Error: Certificate and private key do not match" exit 1 fi - # Write certificates from environment variables - echo "$GREENBONE_CLIENT_CERT" > "$CERT_DIR/client.cert" - echo "$GREENBONE_CLIENT_KEY" > "$CERT_DIR/client.key" + echo "cert-directory=$CERT_DIR" >> $GITHUB_OUTPUT + echo "Docker TLS certificates installed to: $CERT_DIR" - # Handle CA certificate - use provided or extract from client cert - if [[ -n "${GREENBONE_CA_CERT:-}" ]]; then - echo "$GREENBONE_CA_CERT" > "$CERT_DIR/ca.crt" - else - # Extract CA certificate from client certificate chain if it contains multiple certs - CERT_COUNT=$(grep -c "BEGIN CERTIFICATE" "$CERT_DIR/client.cert" || echo "1") - if [[ "$CERT_COUNT" -gt 1 ]]; then - echo "Extracting CA certificate from client certificate chain..." - # Extract the last certificate in the chain (should be the CA) - tail -n +$(grep -n "BEGIN CERTIFICATE" "$CERT_DIR/client.cert" | tail -1 | cut -d: -f1) "$CERT_DIR/client.cert" > "$CERT_DIR/ca.crt" - else - # If only one certificate, use it as both client and CA (self-signed case) - echo "Using client certificate as CA certificate..." - cp "$CERT_DIR/client.cert" "$CERT_DIR/ca.crt" - fi + if [[ "${{ inputs.debug }}" == "true" ]]; then + echo "--- Certificate Details ---" + openssl x509 -in "$CERT_DIR/client.cert" -noout -subject -dates + ls -la "$CERT_DIR/" fi - chmod 600 "$CERT_DIR"/* - - # List certificate files for debugging - echo "Certificate files created:" - ls -la "$CERT_DIR/" - - # Test Docker connectivity and perform login in the same context - echo "Testing Docker connectivity to $REGISTRY_HOST..." - if docker info >/dev/null 2>&1; then - echo "Docker daemon is running" - - # Perform login if credentials provided via environment variables - if [[ -n "${GREENBONE_REGISTRY_USER:-}" ]] && [[ -n "${GREENBONE_REGISTRY_TOKEN:-}" ]]; then - echo "Performing docker login with provided credentials..." - echo "Registry: $REGISTRY_HOST" - echo "Username: $GREENBONE_REGISTRY_USER" - echo "$GREENBONE_REGISTRY_TOKEN" | docker login "$REGISTRY_HOST" --username "$GREENBONE_REGISTRY_USER" --password-stdin - else - echo "No basic auth credentials provided - using certificate-only authentication" - echo "Attempting to test registry access with certificates only..." - # Test if certificates alone are sufficient - docker pull $REGISTRY_HOST/hello-world:latest 2>/dev/null || echo "Certificate-only authentication failed - basic auth may be required" - fi - else - echo "Warning: Docker daemon not accessible" - fi - - - name: Set output - id: set-output - shell: bash - run: echo "registry=$REGISTRY_HOST" >> $GITHUB_OUTPUT - - - name: Cleanup certificates (if logout enabled) - if: inputs.logout == 'true' - shell: bash - run: | - [[ -n "${DOCKER_CERT_DIR:-}" && -d "$DOCKER_CERT_DIR" ]] && rm -rf "$DOCKER_CERT_DIR" From 378a478fd7006b87625948ccf79cb5c9d7cd5d03 Mon Sep 17 00:00:00 2001 From: Eben Asamoah <77969078+easamoah7@users.noreply.github.com> Date: Tue, 30 Sep 2025 17:28:30 +0200 Subject: [PATCH 10/18] Add: Update README.md --- docker-client-tls-login/README.md | 58 +++++++++++++++++-------------- 1 file changed, 31 insertions(+), 27 deletions(-) diff --git a/docker-client-tls-login/README.md b/docker-client-tls-login/README.md index f2208c7f4..08ca31292 100644 --- a/docker-client-tls-login/README.md +++ b/docker-client-tls-login/README.md @@ -1,8 +1,8 @@ -# Docker Client TLS Login +# Docker TLS Certificate Login Action -GitHub Action to configure Docker with client TLS certificates for registry authentication. +This GitHub Action configures Docker to use client TLS certificates for secure registry authentication (mutual TLS). -## Example +## Example Usage ```yaml name: Docker TLS Login @@ -15,36 +15,40 @@ jobs: name: Docker Operations with TLS runs-on: ubuntu-latest steps: - - name: Login to Greenbone Registry - uses: greenbone/actions/docker-client-tls-login@v1 + - name: Setup Docker TLS Certificates + uses: ./.github/actions/docker-tls-login + with: + registry-url: packages.greenbone.net + client-cert: ${{ secrets.GREENBONE_CLIENT_CERT }} + client-key: ${{ secrets.GREENBONE_CLIENT_KEY }} + # Optional: ca-cert if not using system CA bundle + # ca-cert: ${{ secrets.GREENBONE_CA_CERT }} + debug: 'true' + + - name: Login to Greenbone Registry (Read-Only) + uses: docker/login-action@v3 with: registry: packages.greenbone.net - env: - GREENBONE_CLIENT_CERT: ${{ secrets.GREENBONE_CLIENT_CERT }} - GREENBONE_CLIENT_KEY: ${{ secrets.GREENBONE_CLIENT_KEY }} - GREENBONE_REGISTRY_USER: ${{ secrets.GREENBONE_REGISTRY_USER }} - GREENBONE_REGISTRY_TOKEN: ${{ secrets.GREENBONE_REGISTRY_TOKEN }} - + username: ${{ secrets.GREENBONE_REGISTRY_READ_USER }} + password: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }} + - name: Pull Docker image run: | - docker pull packages.greenbone.net/some-greenbone-image:latest + docker pull packages.greenbone.net/opensight/opensight-postgres:17.5.3@sha256:2e28556d0dceec5880f2104e35db6002d64d6e7e756e7fbf2b618d4d660f0d31 ``` -## Action Configuration - -### Inputs +## Inputs -| Input Variable | Description | Required | Default | -|----------------|---------------------------------------|----------|----------------------------| -| registry | Docker registry URL | No | `packages.greenbone.net` | -| logout | Clean up certificates at end of job | No | `true` | +| Input Variable | Description | Required | Default | +|----------------|---------------------------------------|----------|-----------| +| registry-url | Docker registry URL | Yes | | +| client-cert | Base64-encoded client certificate | Yes | | +| client-key | Base64-encoded client private key | Yes | | +| ca-cert | Base64-encoded CA certificate | No | '' | +| debug | Enable debug output (true/false) | No | 'false' | -### Environment Variables +## Outputs -| Environment Variable | Description | Required | -|---------------------------|---------------------------------------|----------| -| GREENBONE_CLIENT_CERT | Client certificate in PEM format | Yes | -| GREENBONE_CLIENT_KEY | Client private key in PEM format | Yes | -| GREENBONE_CA_CERT | CA certificate in PEM format | No | -| GREENBONE_REGISTRY_USER | Username for basic authentication | No | -| GREENBONE_REGISTRY_TOKEN | Password/token for basic auth | No | +| Output Variable | Description | +|-----------------|---------------------------------------| +| cert-directory | Path to the Docker certificate directory | From 3eb4534b0f7c7e4a9d39ee5ca2a3b582216eac0e Mon Sep 17 00:00:00 2001 From: Eben Asamoah <77969078+easamoah7@users.noreply.github.com> Date: Tue, 30 Sep 2025 17:31:48 +0200 Subject: [PATCH 11/18] Add: Action version --- docker-client-tls-login/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-client-tls-login/README.md b/docker-client-tls-login/README.md index 08ca31292..f9f685c43 100644 --- a/docker-client-tls-login/README.md +++ b/docker-client-tls-login/README.md @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Setup Docker TLS Certificates - uses: ./.github/actions/docker-tls-login + uses: greenbone/actions/sdocker-client-tls-login@v1.0.0 with: registry-url: packages.greenbone.net client-cert: ${{ secrets.GREENBONE_CLIENT_CERT }} From 965b3c163f5a1ad0f3ce3c07417390baa1a678ce Mon Sep 17 00:00:00 2001 From: Eben Asamoah <77969078+easamoah7@users.noreply.github.com> Date: Tue, 30 Sep 2025 17:32:16 +0200 Subject: [PATCH 12/18] Fix: error --- docker-client-tls-login/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-client-tls-login/README.md b/docker-client-tls-login/README.md index f9f685c43..3a9d24c8d 100644 --- a/docker-client-tls-login/README.md +++ b/docker-client-tls-login/README.md @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Setup Docker TLS Certificates - uses: greenbone/actions/sdocker-client-tls-login@v1.0.0 + uses: greenbone/actions/docker-client-tls-login@v1.0.0 with: registry-url: packages.greenbone.net client-cert: ${{ secrets.GREENBONE_CLIENT_CERT }} From 9313cf3fcf08f53b0f9d2a81a15684ea45793d84 Mon Sep 17 00:00:00 2001 From: Jaspar Stach Date: Thu, 2 Oct 2025 07:45:39 +0200 Subject: [PATCH 13/18] Add restart, use /etc/.docker/ --- docker-client-tls-login/action.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docker-client-tls-login/action.yml b/docker-client-tls-login/action.yml index 87eb97d81..b72bdd979 100644 --- a/docker-client-tls-login/action.yml +++ b/docker-client-tls-login/action.yml @@ -34,7 +34,7 @@ runs: run: | # Setup certificate directory REGISTRY_URL="${{ inputs.registry-url }}" - CERT_DIR="$HOME/.docker/certs.d/$REGISTRY_URL" + CERT_DIR=/etc/.docker/certs.d/$REGISTRY_URL" mkdir -p "$CERT_DIR" # Install certificates @@ -66,3 +66,12 @@ runs: ls -la "$CERT_DIR/" fi + echo "Restarting Docker to reload TLS certs..." + sudo systemctl restart docker + sleep 5 + if systemctl is-active --quiet docker; then + echo "Docker daemon restarted successfully." + else + echo "Docker daemon failed to restart after cert insertion." + exit 1 + fi From c28db9c96216e1b2251af08ccd72f9ebda41e4a8 Mon Sep 17 00:00:00 2001 From: Jaspar Stach Date: Thu, 2 Oct 2025 08:07:16 +0200 Subject: [PATCH 14/18] Remove base64 decoding --- docker-client-tls-login/action.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/docker-client-tls-login/action.yml b/docker-client-tls-login/action.yml index b72bdd979..dddaf37d5 100644 --- a/docker-client-tls-login/action.yml +++ b/docker-client-tls-login/action.yml @@ -33,19 +33,18 @@ runs: shell: bash run: | # Setup certificate directory - REGISTRY_URL="${{ inputs.registry-url }}" - CERT_DIR=/etc/.docker/certs.d/$REGISTRY_URL" + CERT_DIR=/etc/.docker/certs.d/${{ inputs.registry-url }}" mkdir -p "$CERT_DIR" # Install certificates - echo "${{ inputs.client-cert }}" | base64 -d > "$CERT_DIR/client.cert" - echo "${{ inputs.client-key }}" | base64 -d > "$CERT_DIR/client.key" - chmod 644 "$CERT_DIR/client.cert" - chmod 600 "$CERT_DIR/client.key" + echo "${{ inputs.client-cert }}" > "$CERT_DIR/client.cert" + echo "${{ inputs.client-key }}" > "$CERT_DIR/client.key" + #chmod 644 "$CERT_DIR/client.cert" + #chmod 600 "$CERT_DIR/client.key" # Install CA certificate if provided if [[ -n "${{ inputs.ca-cert }}" ]]; then - echo "${{ inputs.ca-cert }}" | base64 -d > "$CERT_DIR/ca.cert" + echo "${{ inputs.ca-cert }}" > "$CERT_DIR/ca.cert" chmod 644 "$CERT_DIR/ca.cert" fi @@ -58,7 +57,7 @@ runs: fi echo "cert-directory=$CERT_DIR" >> $GITHUB_OUTPUT - echo "Docker TLS certificates installed to: $CERT_DIR" + echo "Docker TLS certificates written to: $CERT_DIR" if [[ "${{ inputs.debug }}" == "true" ]]; then echo "--- Certificate Details ---" From fde6a5544a802b958053cef8ad867afe0e2caa58 Mon Sep 17 00:00:00 2001 From: Jaspar Stach Date: Thu, 2 Oct 2025 08:13:15 +0200 Subject: [PATCH 15/18] Fix quotation --- docker-client-tls-login/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-client-tls-login/action.yml b/docker-client-tls-login/action.yml index dddaf37d5..9d498fe19 100644 --- a/docker-client-tls-login/action.yml +++ b/docker-client-tls-login/action.yml @@ -33,7 +33,7 @@ runs: shell: bash run: | # Setup certificate directory - CERT_DIR=/etc/.docker/certs.d/${{ inputs.registry-url }}" + CERT_DIR=/etc/.docker/certs.d/${{ inputs.registry-url }} mkdir -p "$CERT_DIR" # Install certificates From 7f89f0664c1132593fdcd3d10465984f2bff1641 Mon Sep 17 00:00:00 2001 From: Jaspar Stach Date: Thu, 2 Oct 2025 08:18:42 +0200 Subject: [PATCH 16/18] sudo --- docker-client-tls-login/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-client-tls-login/action.yml b/docker-client-tls-login/action.yml index 9d498fe19..024e47c45 100644 --- a/docker-client-tls-login/action.yml +++ b/docker-client-tls-login/action.yml @@ -34,7 +34,7 @@ runs: run: | # Setup certificate directory CERT_DIR=/etc/.docker/certs.d/${{ inputs.registry-url }} - mkdir -p "$CERT_DIR" + sudo mkdir -p "$CERT_DIR" # Install certificates echo "${{ inputs.client-cert }}" > "$CERT_DIR/client.cert" From f31ee05772ce3e309562216e4472f3132f36efb9 Mon Sep 17 00:00:00 2001 From: Jaspar Stach Date: Thu, 2 Oct 2025 08:29:44 +0200 Subject: [PATCH 17/18] sudo --- docker-client-tls-login/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-client-tls-login/action.yml b/docker-client-tls-login/action.yml index 024e47c45..5fb99833e 100644 --- a/docker-client-tls-login/action.yml +++ b/docker-client-tls-login/action.yml @@ -37,8 +37,8 @@ runs: sudo mkdir -p "$CERT_DIR" # Install certificates - echo "${{ inputs.client-cert }}" > "$CERT_DIR/client.cert" - echo "${{ inputs.client-key }}" > "$CERT_DIR/client.key" + sudo echo "${{ inputs.client-cert }}" > "$CERT_DIR/client.cert" + sudo echo "${{ inputs.client-key }}" > "$CERT_DIR/client.key" #chmod 644 "$CERT_DIR/client.cert" #chmod 600 "$CERT_DIR/client.key" From 1d1e054a7d497a4d4664d9238c8c462d5a4cbedb Mon Sep 17 00:00:00 2001 From: Jaspar Stach Date: Thu, 2 Oct 2025 08:33:15 +0200 Subject: [PATCH 18/18] sudo --- docker-client-tls-login/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-client-tls-login/action.yml b/docker-client-tls-login/action.yml index 5fb99833e..2c074dc79 100644 --- a/docker-client-tls-login/action.yml +++ b/docker-client-tls-login/action.yml @@ -37,8 +37,8 @@ runs: sudo mkdir -p "$CERT_DIR" # Install certificates - sudo echo "${{ inputs.client-cert }}" > "$CERT_DIR/client.cert" - sudo echo "${{ inputs.client-key }}" > "$CERT_DIR/client.key" + echo "${{ inputs.client-cert }}" | sudo tee "$CERT_DIR/client.cert" + echo "${{ inputs.client-key }}" | sudo tee "$CERT_DIR/client.key" #chmod 644 "$CERT_DIR/client.cert" #chmod 600 "$CERT_DIR/client.key"