nextcloud/.github/workflows/update-cacert-bundle.yml

# SPDX-FileCopyrightText: 2022 Nextcloud GmbH and Nextcloud contributors
# SPDX-License-Identifier: MIT
name: Update CA certificate bundle

on:
  workflow_dispatch:
  schedule:
    - cron: "5 2 * * *"

jobs:
  update-ca-certificate-bundle:
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
      matrix:
        branches: ['master', 'stable29',  'stable28',  'stable27', 'stable26', 'stable25', 'stable24', 'stable23', 'stable22']

    name: update-ca-certificate-bundle-${{ matrix.branches }}

    steps:
      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
        with:
          ref: ${{ matrix.branches }}
          submodules: true

      - name: Download CA certificate bundle from curl
        run: curl --etag-compare build/ca-bundle-etag.txt --etag-save build/ca-bundle-etag.txt --output resources/config/ca-bundle.crt https://curl.se/ca/cacert.pem

      - name: Create Pull Request
        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e
        with:
          token: ${{ secrets.COMMAND_BOT_PAT }}
          commit-message: 'fix(security): Update CA certificate bundle'
          committer: GitHub <noreply@github.com>
          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
          signoff: true
          branch: 'automated/noid/${{ matrix.branches }}-update-ca-cert-bundle'
          title: '[${{ matrix.branches }}] fix(security): Update CA certificate bundle'
          body: |
            Auto-generated update of CA certificate bundle from [https://curl.se/docs/caextract.html](https://curl.se/docs/caextract.html)
          labels: |
            dependencies
            3. to review
          reviewers: ChristophWurst, miaulalala, nickvergessen