Downloading usns once instead of multiple times (#1306)

* fix: Adding action for downloading usns in a specific path

* feat: downloading usns once

Author: pacostas

actions/stack/download-latest-usns/action.yml

@@ -0,0 +1,31 @@
+name: 'Download Latest USNs'
+
+description: |
+  Fetches the USNs form ubuntu.com/security/notices.json and stores them locally in a json format.
+
+inputs:
+  distro:
+    description: 'Ubuntu distro codename to fetch (e.g. jammy, noble)'
+    required: true
+  limit:
+    description: 'The page size of ubuntu API. Maximum items per page: 20'
+    required: false
+  offset:
+    description: 'Number of notices to skip (optional). When omitted, the API starts from the first notice.'
+    required: false
+  usns-output-path:
+    description: 'Exact path to output the USNs JSON file.'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+  - id: fetch
+    name: Fetch USNs
+    shell: bash
+    run: |
+      "${{ github.action_path }}/fetch_usns.sh" \
+        --distro "${{ inputs.distro }}" \
+        --usns-output-path "${{ inputs.usns-output-path }}" \
+        --limit "${{ inputs.limit }}" \
+        --offset "${{ inputs.offset }}"

actions/stack/download-latest-usns/fetch_usns.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+
+set -eu
+set -o pipefail
+
+function main() {
+  local distro=""
+  local limit=""
+  local offset=""
+  local usns_output_path=""
+  while [[ "${#}" != 0 ]]; do
+    case "${1}" in
+      --help|-h)
+        shift 1
+        usage
+        exit 0
+        ;;
+
+      --distro|-d)
+        distro="${2}"
+        shift 2
+        ;;
+
+      --limit|-l)
+        limit="${2}"
+        shift 2
+        ;;
+
+      --offset|-o)
+        offset="${2}"
+        shift 2
+        ;;
+
+      --usns-output-path|-u)
+        usns_output_path="${2}"
+        shift 2
+        ;;
+
+      "")
+        shift 1
+        ;;
+
+      *)
+        echo "unknown argument \"${1}\"" >&2
+        usage
+        exit 1
+        ;;
+    esac
+  done
+
+  if [[ -z "${distro:-}" ]]; then
+    echo "error: --distro is required" >&2
+    usage
+    exit 1
+  fi
+
+  if [[ -z "${usns_output_path:-}" ]]; then
+    echo "error: --usns-output-path is required" >&2
+    usage
+    exit 1
+  fi
+
+  local url="https://ubuntu.com/security/notices.json?release=${distro}"
+
+  if [[ -n "${limit:-}" ]]; then
+    url="${url}&limit=${limit}"
+  fi
+
+  if [[ -n "${offset:-}" ]]; then
+    url="${url}&offset=${offset}"
+  fi
+
+  mkdir -p "$(dirname "${usns_output_path}")"
+  curl -sSfL "${url}" > "${usns_output_path}" || { echo "error: failed to fetch notices for distro ${distro}" >&2; exit 1; }
+}
+
+function usage() {
+  cat <<-ENDUSAGE
+fetch_usns.sh [OPTIONS]
+
+Fetches Ubuntu Security Notices (USNs) JSON for the given distro from ubuntu.com and saves it to the given path.
+
+USAGE
+  ./scripts/fetch_usns.sh --distro jammy --limit 20 --offset 0 --usns-output-path ./jammy-usns.json
+
+OPTIONS
+  --distro <name>     -d <name>  Ubuntu distro to fetch (e.g. bionic, focal, jammy, noble). Required.
+  --limit   <n>       -l <n>     Maximum number of notices to fetch (optional). When omitted, the API returns 20 items.
+  --offset  <n>       -o <n>     Number of notices to skip (optional). When omitted, the API starts from the first notice.
+  --usns-output-path <path>    -u <path>  Path to output USNs JSON file. Required.
+  --help              -h         prints the command usage
+ENDUSAGE
+}
+
+main "${@:-}"

stack/.github/workflows/create-release.yml

@@ -24,6 +24,7 @@ concurrency: release
 env:
   STACKS_FILEPATH: "images.json"
   PATCHED_USNS_FILENAME: "patched-usns.json"
+  USNS_NOTICES_ARTIFACT: "usns-notices"
 jobs:
   preparation:
     name: Preparation
@@ -205,13 +206,31 @@ jobs:
           echo "platforms=$platforms"
           echo "platforms=${platforms}" >> "$GITHUB_OUTPUT"
 
+  download_usns:
+    name: Download USNs
+    runs-on: ubuntu-24.04
+    needs: [preparation]
+    if: ${{ needs.preparation.outputs.polling_type == 'usn' }}
+    steps:
+      - name: Download latest USNs
+        uses: paketo-buildpacks/github-config/actions/stack/download-latest-usns@main
+        with:
+          distro: ${{ needs.preparation.outputs.os_codename }}
+          usns-output-path: "${{ github.workspace }}/${{ env.USNS_NOTICES_ARTIFACT }}.json"
+
+      - name: Upload USNs notices
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.USNS_NOTICES_ARTIFACT }}
+          path: "${{ github.workspace }}/${{ env.USNS_NOTICES_ARTIFACT }}.json"
+
   # The following job is specific to Ubuntu images. It checks for new
   # USNs (Ubuntu Security Notices) and triggers the flow to create
   # a new release with the latest images that have the USNs patched.
   poll_usns:
     name: Poll USNs
     runs-on: ubuntu-24.04
-    needs: [preparation]
+    needs: [preparation, download_usns]
     if: ${{ needs.preparation.outputs.polling_type == 'usn' }}
     strategy:
       matrix:
@@ -220,6 +239,11 @@ jobs:
     outputs:
       usns: ${{ steps.new_usns.outputs.usns }}
     steps:
+    - name: Download USNs notices
+      uses: actions/download-artifact@v4
+      with:
+        name: ${{ env.USNS_NOTICES_ARTIFACT }}
+
     - name: Check for Previous Releases
       id: check_previous
       run: |
@@ -385,6 +409,7 @@ jobs:
       uses: paketo-buildpacks/github-config/actions/stack/get-usns@main
       with:
         distribution: ${{ needs.preparation.outputs.os_codename }}
+        api_url: "file:///github/workspace/${{ env.USNS_NOTICES_ARTIFACT }}.json"
         packages_filepath: "./${{ matrix.arch.name }}-package-list-${{ matrix.stacks.name }}"
         last_usns_filepath: "./${{ matrix.arch.name }}-${{ matrix.stacks.name }}-${{ env.PATCHED_USNS_FILENAME }}-previous"
         usns_output_path: "./${{ matrix.arch.name }}-${{ matrix.stacks.name }}-${{ env.PATCHED_USNS_FILENAME }}"