Automate CA certificate bundle updatetags/v25.0.0beta7
@@ -15,3 +15,5 @@ | |||
/lib/private/Profiler @CarlSchwan | |||
/lib/public/Profiler @CarlSchwan | |||
# Security team | |||
resources/config/ca-bundle.crt @ChristophWurst @eneiluj @miaulalala @nickvergessen |
@@ -0,0 +1,42 @@ | |||
name: Update CA certificate bundle | |||
on: | |||
workflow_dispatch: | |||
schedule: | |||
- cron: "5 4 * * *" | |||
jobs: | |||
update-ca-certificate-bundle: | |||
runs-on: ubuntu-latest | |||
strategy: | |||
fail-fast: false | |||
matrix: | |||
branches: ["master", "stable24", "stable23", "stable22"] | |||
name: update-ca-certificate-bundle-${{ matrix.branches }} | |||
steps: | |||
- uses: actions/checkout@v3 | |||
with: | |||
ref: ${{ matrix.branches }} | |||
submodules: true | |||
- name: Download CA certificate bundle from curl | |||
run: curl --etag-compare build/ca-bundle-etag.txt --etag-save build/ca-bundle-etag.txt --output resources/config/ca-bundle.crt https://curl.se/ca/cacert.pem | |||
- name: Create Pull Request | |||
uses: peter-evans/create-pull-request@v3 | |||
with: | |||
token: ${{ secrets.COMMAND_BOT_PAT }} | |||
commit-message: Update CA certificate bundle | |||
committer: GitHub <noreply@github.com> | |||
author: nextcloud-command <nextcloud-command@users.noreply.github.com> | |||
signoff: true | |||
branch: automated/noid/${{ matrix.branches }}-update-ca-cert-bundle | |||
title: "[${{ matrix.branches }}] Update ca-cert bundle" | |||
body: | | |||
Auto-generated update of CA certificate bundle from [https://curl.se/docs/caextract.html](https://curl.se/docs/caextract.html) | |||
labels: | | |||
dependencies | |||
3. to review |
@@ -10,11 +10,8 @@ php ./build/triple-dot-checker.php | |||
RESULT=$(($RESULT+$?)) | |||
php ./build/htaccess-checker.php | |||
RESULT=$(($RESULT+$?)) | |||
bash ./build/ca-bundle-checker.sh | |||
RESULT=$(($RESULT+$?)) | |||
php ./build/OCPSinceChecker.php | |||
RESULT=$(($RESULT+$?)) | |||
php ./build/files-checker.php | |||
RESULT=$(($RESULT+$?)) | |||
@@ -1,21 +0,0 @@ | |||
#!/usr/bin/env bash | |||
if [[ -n ${DRONE_SOURCE_BRANCH} && ! ${DRONE_SOURCE_BRANCH} =~ version(\/noid)?\/([0-9.]+) ]]; then | |||
echo "Skip CA bundle check" | |||
exit 0 | |||
fi | |||
echo "Fetching latest ca-bundle.crt ..." | |||
curl -o resources/config/ca-bundle.crt https://curl.se/ca/cacert.pem | |||
echo | |||
outdated=$(git diff --name-only | grep "resources/config/ca-bundle.crt") | |||
if [ "${outdated}" = "resources/config/ca-bundle.crt" ]; then | |||
echo "CA bundle is not up to date." | |||
echo "Please run: bash build/ca-bundle-checker.sh" | |||
echo "And commit the result" | |||
exit 1 | |||
fi | |||
echo "CA bundle is up to date." | |||
exit 0 |
@@ -0,0 +1 @@ | |||
"3650d-5e41fd9674803" |