Automate CA certificate bundle updatetags/v25.0.0beta7
/lib/private/Profiler @CarlSchwan | /lib/private/Profiler @CarlSchwan | ||||
/lib/public/Profiler @CarlSchwan | /lib/public/Profiler @CarlSchwan | ||||
# Security team | |||||
resources/config/ca-bundle.crt @ChristophWurst @eneiluj @miaulalala @nickvergessen |
name: Update CA certificate bundle | |||||
on: | |||||
workflow_dispatch: | |||||
schedule: | |||||
- cron: "5 4 * * *" | |||||
jobs: | |||||
update-ca-certificate-bundle: | |||||
runs-on: ubuntu-latest | |||||
strategy: | |||||
fail-fast: false | |||||
matrix: | |||||
branches: ["master", "stable24", "stable23", "stable22"] | |||||
name: update-ca-certificate-bundle-${{ matrix.branches }} | |||||
steps: | |||||
- uses: actions/checkout@v3 | |||||
with: | |||||
ref: ${{ matrix.branches }} | |||||
submodules: true | |||||
- name: Download CA certificate bundle from curl | |||||
run: curl --etag-compare build/ca-bundle-etag.txt --etag-save build/ca-bundle-etag.txt --output resources/config/ca-bundle.crt https://curl.se/ca/cacert.pem | |||||
- name: Create Pull Request | |||||
uses: peter-evans/create-pull-request@v3 | |||||
with: | |||||
token: ${{ secrets.COMMAND_BOT_PAT }} | |||||
commit-message: Update CA certificate bundle | |||||
committer: GitHub <noreply@github.com> | |||||
author: nextcloud-command <nextcloud-command@users.noreply.github.com> | |||||
signoff: true | |||||
branch: automated/noid/${{ matrix.branches }}-update-ca-cert-bundle | |||||
title: "[${{ matrix.branches }}] Update ca-cert bundle" | |||||
body: | | |||||
Auto-generated update of CA certificate bundle from [https://curl.se/docs/caextract.html](https://curl.se/docs/caextract.html) | |||||
labels: | | |||||
dependencies | |||||
3. to review |
RESULT=$(($RESULT+$?)) | RESULT=$(($RESULT+$?)) | ||||
php ./build/htaccess-checker.php | php ./build/htaccess-checker.php | ||||
RESULT=$(($RESULT+$?)) | RESULT=$(($RESULT+$?)) | ||||
bash ./build/ca-bundle-checker.sh | |||||
RESULT=$(($RESULT+$?)) | |||||
php ./build/OCPSinceChecker.php | php ./build/OCPSinceChecker.php | ||||
RESULT=$(($RESULT+$?)) | RESULT=$(($RESULT+$?)) | ||||
php ./build/files-checker.php | php ./build/files-checker.php | ||||
RESULT=$(($RESULT+$?)) | RESULT=$(($RESULT+$?)) | ||||
#!/usr/bin/env bash | |||||
if [[ -n ${DRONE_SOURCE_BRANCH} && ! ${DRONE_SOURCE_BRANCH} =~ version(\/noid)?\/([0-9.]+) ]]; then | |||||
echo "Skip CA bundle check" | |||||
exit 0 | |||||
fi | |||||
echo "Fetching latest ca-bundle.crt ..." | |||||
curl -o resources/config/ca-bundle.crt https://curl.se/ca/cacert.pem | |||||
echo | |||||
outdated=$(git diff --name-only | grep "resources/config/ca-bundle.crt") | |||||
if [ "${outdated}" = "resources/config/ca-bundle.crt" ]; then | |||||
echo "CA bundle is not up to date." | |||||
echo "Please run: bash build/ca-bundle-checker.sh" | |||||
echo "And commit the result" | |||||
exit 1 | |||||
fi | |||||
echo "CA bundle is up to date." | |||||
exit 0 |
"3650d-5e41fd9674803" |