Harden inter-hub production deploy trigger
This commit is contained in:
80
tools/check-oci-image.sh
Executable file
80
tools/check-oci-image.sh
Executable file
@@ -0,0 +1,80 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
image_ref="${1:-}"
|
||||
|
||||
if [[ -z "$image_ref" ]]; then
|
||||
echo "usage: $0 <registry/repository:tag>" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
failures=()
|
||||
|
||||
try_tool() {
|
||||
local name="$1"
|
||||
shift
|
||||
|
||||
if ! command -v "$name" >/dev/null 2>&1; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
local output
|
||||
if output="$("$@" 2>&1 >/dev/null)"; then
|
||||
echo "ok: found image manifest with $name: $image_ref"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
failures+=("$name: $output")
|
||||
return 1
|
||||
}
|
||||
|
||||
try_registry_api() {
|
||||
if ! command -v curl >/dev/null 2>&1; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
local ref_no_digest="${image_ref%@*}"
|
||||
local ref_without_tag tag registry repo url output
|
||||
|
||||
if [[ "$ref_no_digest" != *:* ]]; then
|
||||
failures+=("registry-api: image ref must include an explicit tag")
|
||||
return 1
|
||||
fi
|
||||
|
||||
tag="${ref_no_digest##*:}"
|
||||
ref_without_tag="${ref_no_digest%:*}"
|
||||
registry="${ref_without_tag%%/*}"
|
||||
repo="${ref_without_tag#*/}"
|
||||
|
||||
if [[ -z "$registry" || -z "$repo" || "$registry" == "$repo" ]]; then
|
||||
failures+=("registry-api: image ref must include registry and repository")
|
||||
return 1
|
||||
fi
|
||||
|
||||
url="https://${registry}/v2/${repo}/manifests/${tag}"
|
||||
if output="$(curl -fsSL \
|
||||
-H "Accept: application/vnd.oci.image.index.v1+json" \
|
||||
-H "Accept: application/vnd.oci.image.manifest.v1+json" \
|
||||
-H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" \
|
||||
-H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
|
||||
-o /dev/null "$url" 2>&1)"; then
|
||||
echo "ok: found image manifest with registry API: $image_ref"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
failures+=("registry-api: $output")
|
||||
return 1
|
||||
}
|
||||
|
||||
try_tool skopeo skopeo inspect --raw "docker://${image_ref}" || true
|
||||
try_tool crane crane manifest "$image_ref" || true
|
||||
try_tool docker docker manifest inspect "$image_ref" || true
|
||||
try_registry_api || true
|
||||
|
||||
echo "ERROR: image manifest not found or not accessible: $image_ref" >&2
|
||||
if ((${#failures[@]} > 0)); then
|
||||
printf '%s\n' "${failures[@]}" >&2
|
||||
else
|
||||
echo "No supported manifest inspection tool was available." >&2
|
||||
fi
|
||||
exit 1
|
||||
Reference in New Issue
Block a user