Update changelog

Signed-off-by: divyansh42 <diagrawa@redhat.com>

.github/install_latest_podman.sh

@@ -1,7 +1,3 @@
-# https://podman.io/getting-started/installation
-. /etc/os-release
-echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-curl -sSfL "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/Release.key" | sudo apt-key add -
 sudo apt-get update
 sudo apt-get -y upgrade
 sudo apt-get -y install podman

.github/workflows/ci.yml

@@ -8,21 +8,21 @@ on:
 jobs:
   lint:
     name: Run ESLint
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - run: npm ci
       - run: npm run lint
 
   check-dist:
     name: Check Distribution
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     env:
       BUNDLE_FILE: "dist/index.js"
       BUNDLE_COMMAND: "npm run bundle"
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Install
         run: npm ci
@@ -35,11 +35,11 @@ jobs:
 
   check-inputs-outputs:
     name: Check Input and Output enums
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     env:
       IO_FILE: ./src/generated/inputs-outputs.ts
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Install dependencies
         run: npm ci

.github/workflows/example.yml

@@ -1,6 +1,7 @@
 name: Test Login and Pull
 on:
   push:
+  pull_request_target:
   workflow_dispatch:
   schedule:
     - cron: '0 0 * * *'  # every day at midnight
@@ -14,7 +15,7 @@ env:
 jobs:
   podman-pull:
     name: Log in and pull image with Podman
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
       matrix:
@@ -22,7 +23,7 @@ jobs:
 
     steps:
 
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Install latest podman
         if: matrix.install_latest
@@ -35,22 +36,27 @@ jobs:
           username: ${{ env.REGISTRY_USER }}
           password: ${{ env.REGISTRY_PASSWORD }}
           registry: ${{ env.IMAGE_REGISTRY }}
+          auth_file_path: ./auth/auth.json
 
       - name: Pull image with Podman
         run: podman pull ${{ env.IMAGE_PATH }}
 
   buildah-pull:
     name: Log in and pull image with Buildah
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        install_latest: [ true, false ]
     steps:
 
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Install latest podman
         if: matrix.install_latest
         run: |
           bash .github/install_latest_podman.sh
-        
+
       - name: Log in to quay.io
         uses: ./
         with:
@@ -60,3 +66,29 @@ jobs:
 
       - name: Pull image with Buildah
         run: buildah pull ${{ env.IMAGE_PATH }}
+
+  docker-pull:
+    name: Log in and pull image with Docker
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        install_latest: [ true, false ]
+    steps:
+
+      - uses: actions/checkout@v3
+
+      - name: Install latest podman
+        if: matrix.install_latest
+        run: |
+          bash .github/install_latest_podman.sh
+
+      - name: Log in to quay.io
+        uses: ./
+        with:
+          username: ${{ env.REGISTRY_USER }}
+          password: ${{ env.REGISTRY_PASSWORD }}
+          registry: ${{ env.IMAGE_REGISTRY }}
+
+      - name: Pull image with Docker
+        run: docker pull ${{ env.IMAGE_PATH }}

.github/workflows/link_check.yml

@@ -12,9 +12,9 @@ on:
 jobs:
   markdown-link-check:
     name: Check links in markdown
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - uses: gaurav-nelson/github-action-markdown-link-check@v1
         with:
           use-verbose-mode: true

.github/workflows/security_scan.yml

@@ -0,0 +1,35 @@
+name: Vulnerability Scan with CRDA
+on:
+  # push:
+  workflow_dispatch:
+  # pull_request_target:
+  #   types: [ assigned, opened, synchronize, reopened, labeled, edited ]
+  # schedule:
+  #   - cron: '0 0 * * *'  # every day at midnight
+
+jobs:
+  crda-scan:
+    runs-on: ubuntu-22.04
+    name: Scan project vulnerability with CRDA
+    steps:
+
+      - uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v2
+        with:
+          node-version: '20'
+
+      - name: Install CRDA
+        uses: redhat-actions/openshift-tools-installer@v1
+        with:
+          source: github
+          github_pat: ${{ github.token }}
+          crda: "latest"
+
+      - name: CRDA Scan
+        id: scan
+        uses: redhat-actions/crda@v1
+        with:
+          crda_key: ${{ secrets.CRDA_KEY }}
+          fail_on: never

.gitignore

@@ -1,2 +1,3 @@
 node_modules/
-out/
+out/
+.idea/

CHANGELOG.md

@@ -1,10 +1,26 @@
 # podman-login Changelog
 
-## v1.1.1
--  Throw an error if required inputs are not provided
+## v1.7
+- Update action to run on Node20.https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/
+
+## v1.6
+- Update action/core dependency to 1.10.0
+
+## v1.5
+- Update action to run on Node16. https://github.blog/changelog/2022-05-20-actions-can-now-run-in-a-node-js-16-runtime/
+
+## v1.4
+- Add ability to login to AWS ECR repositories. More details at https://github.com/redhat-actions/podman-login/issues/23
+
+## v1.3
+- Add support to provide custom auth file path instead of using default ones set by podman. More details [here](https://github.com/redhat-actions/podman-login/issues/19).
+- Add `--verbose` flag in the login command that will give more detailed output.
+
+## v1.2
+- Add ability to pull image from docker after login. https://github.com/redhat-actions/podman-login/issues/15
 
 ## v1.1
-- Set environment variable REGISTRY_AUTH_FILE with the generated auth file to work with buildah
+- Set environment variable `REGISTRY_AUTH_FILE` with the generated auth file to work with buildah
 
 ## v1
 - Initial Release

README.md

@@ -26,6 +26,7 @@ This action only runs on `Linux`, as it uses [podman](https://github.com/contain
 | username | Username to log in against the container image registry. | **Must be provided**
 | password | Password, encrypted password, or access token for `username`. | **Must be provided**
 | logout | By default, the action logs out of the container image registry at the end of the job (for self-hosted runners). Set this to `false` to disable this behaviour. | `true`
+| auth_file_path | Path of the authentication file, this will override the default auth file path in podman | Default set in podman |
 
 ## Examples
 
@@ -84,5 +85,32 @@ jobs:
   # Now you can push images, and pull private ones, from ghcr.io.
 ```
 
-Refer to the [GitHub documentation](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context)
+It is also possible to login to AWS ECR repositories:
+
+```yaml
+name: Log in to ECR
+on:
+  push:
+
+env:
+  REGISTRY_USER: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  REGISTRY_PASSWORD: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  IMAGE_REGISTRY: 123456789012.dkr.ecr.eu-west-1.amazonaws.com
+
+jobs:
+  login:
+    name: Log in to AWS ECR Registry
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Log in to AWS ECR
+        uses: redhat-actions/podman-login@v1
+        with:
+          username: ${{ env.REGISTRY_USER }}
+          password: ${{ env.REGISTRY_PASSWORD }}
+          registry: ${{ env.IMAGE_REGISTRY }}
+
+  # Now you can push images, and pull private ones, from ECR.
+```
+
+Refer to the [GitHub documentation](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context) <!-- markdown-link-check-disable-line -->
 for information about the `github` context object.

action.yml

@@ -14,6 +14,9 @@ inputs:
   password:
     description: 'Password, encrypted password, or access token for username'
     required: true
+  auth_file_path:
+    description: 'Path of the authentication file, this will override the default auth file path in podman'
+    required: false
   logout:
     description: |
       'By default, the action logs out of the container image registry at the end
@@ -22,6 +25,6 @@ inputs:
     default: 'true'
 
 runs:
-  using: 'node12'
+  using: 'node20'
   main: 'dist/index.js'
   post: 'dist/index.js'

package.json

@@ -2,7 +2,7 @@
   "name": "podman-login",
   "version": "1.0.0",
   "engines": {
-    "node": "12"
+    "node": "20"
   },
   "description": "GitHub Action to log in against a container image registry",
   "repository": {
@@ -14,25 +14,28 @@
     "compile": "tsc -p .",
     "bundle": "ncc build src/index.ts --source-map --minify",
     "clean": "rm -rf out/ dist/",
-    "lint": "eslint . --max-warnings=0"
+    "lint": "eslint . --max-warnings=0",
+    "generate-ios": "npx action-io-generator -w -o ./src/generated/inputs-outputs.ts"
   },
   "keywords": [],
   "author": "Red Hat",
   "license": "MIT",
   "dependencies": {
-    "@actions/core": "^1.2.6",
-    "@actions/exec": "^1.0.4",
-    "@actions/io": "^1.0.2"
+    "@actions/core": "^1.10.1",
+    "@actions/exec": "^1.1.1",
+    "@actions/io": "^1.1.3",
+    "@aws-sdk/client-ecr": "^3.535.0",
+    "@aws-sdk/util-base64": "^3.310.0"
   },
   "devDependencies": {
     "@redhat-actions/action-io-generator": "^1.5.0",
-    "@redhat-actions/eslint-config": "^1.2.11",
-    "@redhat-actions/tsconfig": "^1.1.1",
-    "@types/node": "^12",
-    "@typescript-eslint/eslint-plugin": "^4.14.1",
-    "@typescript-eslint/parser": "^4.14.1",
-    "@vercel/ncc": "^0.25.1",
-    "eslint": "^7.18.0",
-    "typescript": "^4.0.5"
+    "@redhat-actions/eslint-config": "^1.3.2",
+    "@redhat-actions/tsconfig": "^1.2.0",
+    "@types/node": "^20",
+    "@typescript-eslint/eslint-plugin": "^7.2.0",
+    "@typescript-eslint/parser": "^7.2.0",
+    "@vercel/ncc": "^0.38.1",
+    "eslint": "^8.57.0",
+    "typescript": "^5.4.2"
   }
 }

src/context.ts

@@ -1,18 +0,0 @@
-import * as core from "@actions/core";
-import { Inputs } from "./generated/inputs-outputs";
-
-export interface ActionInputs {
-    registry: string;
-    username: string;
-    password: string;
-    logout: string;
-}
-
-export function getInputs(): ActionInputs {
-    return {
-        registry: core.getInput(Inputs.REGISTRY, { required: true }),
-        username: core.getInput(Inputs.USERNAME, { required: true }),
-        password: core.getInput(Inputs.PASSWORD, { required: true }),
-        logout: core.getInput(Inputs.LOGOUT) || "true",
-    };
-}

src/ecr.ts

@@ -0,0 +1,54 @@
+import * as core from "@actions/core";
+import { ECR } from "@aws-sdk/client-ecr";
+
+const ecrRegistryRegex = /^(([0-9]{12})\.dkr\.ecr\.(.+)\.amazonaws\.com(.cn)?)(\/([^:]+)(:.+)?)?$/;
+
+export interface ECRData {
+    username: string;
+    password: string;
+  }
+
+export function isECR(registry: string): boolean {
+    return ecrRegistryRegex.test(registry);
+}
+
+function getRegion(registry: string): string {
+    const matches = registry.match(ecrRegistryRegex);
+    if (!matches) {
+        return "";
+    }
+    return matches[3];
+}
+
+function getAccountID(registry: string): string {
+    const matches = registry.match(ecrRegistryRegex);
+    if (!matches) {
+        return "";
+    }
+    return matches[2];
+}
+
+export async function getECRToken(registry: string, username: string, password: string): Promise<ECRData> {
+    const ecr = new ECR({
+        credentials: {
+            accessKeyId: username,
+            secretAccessKey: password,
+        },
+        region: getRegion(registry),
+    });
+
+    const response = await ecr.getAuthorizationToken({ registryIds: [ getAccountID(registry) ] });
+    if (!Array.isArray(response.authorizationData) || response.authorizationData.length === 0) {
+        throw new Error("Unable to fetch ECR credentials from AWS!");
+    }
+    const tokenString = Buffer.from(response.authorizationData[0].authorizationToken || "", "base64").toString("utf-8");
+    const ecrCredentials = tokenString.split(":", 2);
+
+    // Hide auth token in actions logs
+    core.setSecret(ecrCredentials[1]);
+
+    return {
+        username: ecrCredentials[0],
+        password: ecrCredentials[1],
+    };
+}

src/generated/inputs-outputs.ts

@@ -1,5 +1,11 @@
 // This file was auto-generated by action-io-generator. Do not edit by hand!
 export enum Inputs {
+    /**
+     * Path of the authentication file, this will override the default auth file path in podman
+     * Required: false
+     * Default: None.
+     */
+    AUTH_FILE_PATH = "auth_file_path",
     /**
      * 'By default, the action logs out of the container image registry at the end
      * of the job (for self-hosted runners). Set this to false to disable this behaviour'

src/index.ts

@@ -4,14 +4,18 @@
  **************************************************************************************************/
 
 import * as core from "@actions/core";
+import { promises as fs } from "fs";
 import * as io from "@actions/io";
 import * as os from "os";
 import * as path from "path";
-import { getInputs } from "./context";
-import { execute } from "./utils";
+import * as ecr from "./ecr";
+import { execute, getDockerConfigJson } from "./utils";
 import * as stateHelper from "./state-helper";
+import { Inputs } from "./generated/inputs-outputs";
 
 let podmanPath: string | undefined;
+let registry: string;
+const dockerConfigPath = path.join(os.homedir(), ".docker", "config.json");
 
 async function getPodmanPath(): Promise<string> {
     if (podmanPath == null) {
@@ -27,9 +31,18 @@ async function run(): Promise<void> {
         throw new Error("❌ Only supported on linux platform");
     }
 
-    const {
-        registry, username, password, logout,
-    } = getInputs();
+    registry = core.getInput(Inputs.REGISTRY, { required: true });
+    let username = core.getInput(Inputs.USERNAME, { required: true });
+    let password = core.getInput(Inputs.PASSWORD, { required: true });
+    const logout = core.getInput(Inputs.LOGOUT) || "true";
+    const authFilePath = core.getInput(Inputs.AUTH_FILE_PATH);
+
+    if (ecr.isECR(registry)) {
+        core.info(`💡 Detected ${registry} as an ECR repository`);
+        const ECRData = await ecr.getECRToken(registry, username, password);
+        username = ECRData.username;
+        password = ECRData.password;
+    }
 
     stateHelper.setRegistry(registry);
     stateHelper.setLogout(logout);
@@ -43,16 +56,42 @@ async function run(): Promise<void> {
         password,
     ];
 
+    args.push("--verbose");
+    if (authFilePath) {
+        args.push(`--authfile=${authFilePath}`);
+    }
     await execute(await getPodmanPath(), args);
     core.info(`✅ Successfully logged in to ${registry} as ${username}`);
 
     // Setting REGISTRY_AUTH_FILE environment variable as buildah needs
     // this environment variable to point to registry auth file
-    const podmanAuthFilePath = path.join("/", "tmp", `podman-run-${process.getuid()}`,
-        "containers", "auth.json");
+
+    let podmanAuthFilePath;
+    if (authFilePath) {
+        podmanAuthFilePath = authFilePath;
+    }
+    else {
+        // process.getuid might be undefined
+        let authFileDir = path.join("/", "tmp", `podman-run-${process.getuid ? process.getuid() : null}`);
+        if (process.env.XDG_RUNTIME_DIR) {
+            authFileDir = process.env.XDG_RUNTIME_DIR;
+        }
+        podmanAuthFilePath = path.join(authFileDir, "containers", "auth.json");
+    }
     const REGISTRY_AUTH_ENVVAR = "REGISTRY_AUTH_FILE";
     core.info(`Exporting ${REGISTRY_AUTH_ENVVAR}=${podmanAuthFilePath}`);
     core.exportVariable(REGISTRY_AUTH_ENVVAR, podmanAuthFilePath);
+
+    const podmanConfigJson = await fs.readFile(podmanAuthFilePath, "utf-8");
+    const podmanConfig = JSON.parse(podmanConfigJson);
+    const generatedAuth = podmanConfig.auths[registry];
+
+    core.info(`✍️ Writing registry credentials to "${dockerConfigPath}"`);
+    const dockerConfig = JSON.parse(await getDockerConfigJson());
+
+    dockerConfig.auths[registry] = generatedAuth;
+
+    await fs.writeFile(dockerConfigPath, JSON.stringify(dockerConfig, undefined, 8), "utf-8");
 }
 
 async function registryLogout(): Promise<void> {
@@ -60,6 +99,11 @@ async function registryLogout(): Promise<void> {
         return;
     }
     await execute(await getPodmanPath(), [ "logout", stateHelper.registry ]);
+
+    const dockerConfig = JSON.parse(await getDockerConfigJson());
+    core.info(`Removing registry credentials from "${dockerConfigPath}"`);
+    delete dockerConfig.auths[registry];
+    await fs.writeFile(dockerConfigPath, JSON.stringify(dockerConfig, undefined, 8), "utf-8");
 }
 
 if (!stateHelper.IsPost) {

src/utils.ts

@@ -6,6 +6,8 @@
 import * as core from "@actions/core";
 import * as exec from "@actions/exec";
 import * as path from "path";
+import { promises as fs } from "fs";
+import * as os from "os";
 
 interface ExecResult {
     exitCode: number;
@@ -64,3 +66,9 @@ export async function execute(
         }
     }
 }
+
+export async function getDockerConfigJson(): Promise<string> {
+    const dockerConfigPath = path.join(os.homedir(), ".docker", "config.json");
+    return fs.readFile(dockerConfigPath, "utf-8")
+        .catch((err) => { if (err.code === "ENOENT") { return `{"auths":{}}`; } throw err; });
+}