Mirror a list of images to GHCR with crane (and sign them with cosign!)

FREEDOM.sh

#!/usr/bin/env bash

set -o errexit
set -o nounset
set -o pipefail

if ! crane version >/dev/null; then echo "Must install crane."; exit 1; fi
if ! cosign version >/dev/null; then echo "Must install cosign."; exit 1; fi

GHCR_ROOT_NAMESPACE="${GHCR_ROOT_NAMESPACE:-}"
if [ "${GHCR_ROOT_NAMESPACE}" == "" ]; then echo "Must set GHCR_ROOT_NAMESPACE."; exit 1; fi

# Convert the registry hostname to the first part of namespace
# e.g. "index.docker.io/ubuntu/mysql:8.0-20.04_beta"
# ---> "ghcr.io/<root>/index--docker--io/ubuntu/mysql:8.0-20.04_beta"
#
for img in $(cat "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/images.txt"); do
    new_img="ghcr.io/${GHCR_ROOT_NAMESPACE}"
    new_img="${new_img}/$(echo $img | cut -d/ -f1 | sed 's/\./--/g')"
    new_img="${new_img}/$(echo $img | cut -d/ -f2-)"
    crane copy "${img}" "${new_img}"
    cosign sign "${new_img}"
done

FREEDOM.yml

# .github/workflows/FREEDOM.yml
name: FREEDOM
on:
  push:
    branches: main
jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      packages: write
      contents: read
    steps:
      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846          # v3.0.0
      - uses: imjasonh/setup-crane@01d26682810dcd47bfc8eb1efe791558123a9373      # v0.1
      - uses: sigstore/cosign-installer@179e0f15e70e22ca2e7254fc12d68a9fbab35614 # v2.0.1
      - uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7       # v1.14.1
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ github.token }}
      - run: bash FREEDOM.sh
        env:
          COSIGN_EXPERIMENTAL: "true"
          GHCR_ROOT_NAMESPACE: ${{ github.repository_owner }}

images.txt

index.docker.io/envoyproxy/envoy:v1.18-latest
index.docker.io/library/debian:stable-slim
index.docker.io/minio/mc:latest
index.docker.io/minio/minio:latest
index.docker.io/ubuntu/mysql:8.0-20.04_beta