Browse Source
Merge pull request #34107 from nextcloud/automate-cacert-update
Automate CA certificate bundle updatetags/v25.0.0beta7
Joas Schilling
1 year ago
5 changed files with 45 additions and 24 deletions
+ 2
- 0
.github/CODEOWNERS
View File
| /lib/private/Profiler @CarlSchwan | /lib/private/Profiler @CarlSchwan | ||||
| /lib/public/Profiler @CarlSchwan | /lib/public/Profiler @CarlSchwan | ||||
| # Security team | |||||
| resources/config/ca-bundle.crt @ChristophWurst @eneiluj @miaulalala @nickvergessen |
+ 42
- 0
.github/workflows/update-cacert-bundle.yml
View File
| name: Update CA certificate bundle | |||||
| on: | |||||
| workflow_dispatch: | |||||
| schedule: | |||||
| - cron: "5 4 * * *" | |||||
| jobs: | |||||
| update-ca-certificate-bundle: | |||||
| runs-on: ubuntu-latest | |||||
| strategy: | |||||
| fail-fast: false | |||||
| matrix: | |||||
| branches: ["master", "stable24", "stable23", "stable22"] | |||||
| name: update-ca-certificate-bundle-${{ matrix.branches }} | |||||
| steps: | |||||
| - uses: actions/checkout@v3 | |||||
| with: | |||||
| ref: ${{ matrix.branches }} | |||||
| submodules: true | |||||
| - name: Download CA certificate bundle from curl | |||||
| run: curl --etag-compare build/ca-bundle-etag.txt --etag-save build/ca-bundle-etag.txt --output resources/config/ca-bundle.crt https://curl.se/ca/cacert.pem | |||||
| - name: Create Pull Request | |||||
| uses: peter-evans/create-pull-request@v3 | |||||
| with: | |||||
| token: ${{ secrets.COMMAND_BOT_PAT }} | |||||
| commit-message: Update CA certificate bundle | |||||
| committer: GitHub <noreply@github.com> | |||||
| author: nextcloud-command <nextcloud-command@users.noreply.github.com> | |||||
| signoff: true | |||||
| branch: automated/noid/${{ matrix.branches }}-update-ca-cert-bundle | |||||
| title: "[${{ matrix.branches }}] Update ca-cert bundle" | |||||
| body: | | |||||
| Auto-generated update of CA certificate bundle from [https://curl.se/docs/caextract.html](https://curl.se/docs/caextract.html) | |||||
| labels: | | |||||
| dependencies | |||||
| 3. to review |
+ 0
- 3
autotest-checkers.sh
View File
| RESULT=$(($RESULT+$?)) | RESULT=$(($RESULT+$?)) | ||||
| php ./build/htaccess-checker.php | php ./build/htaccess-checker.php | ||||
| RESULT=$(($RESULT+$?)) | RESULT=$(($RESULT+$?)) | ||||
| bash ./build/ca-bundle-checker.sh | |||||
| RESULT=$(($RESULT+$?)) | |||||
| php ./build/OCPSinceChecker.php | php ./build/OCPSinceChecker.php | ||||
| RESULT=$(($RESULT+$?)) | RESULT=$(($RESULT+$?)) | ||||
| php ./build/files-checker.php | php ./build/files-checker.php | ||||
| RESULT=$(($RESULT+$?)) | RESULT=$(($RESULT+$?)) | ||||
+ 0
- 21
build/ca-bundle-checker.sh
View File
| #!/usr/bin/env bash | |||||
| if [[ -n ${DRONE_SOURCE_BRANCH} && ! ${DRONE_SOURCE_BRANCH} =~ version(\/noid)?\/([0-9.]+) ]]; then | |||||
| echo "Skip CA bundle check" | |||||
| exit 0 | |||||
| fi | |||||
| echo "Fetching latest ca-bundle.crt ..." | |||||
| curl -o resources/config/ca-bundle.crt https://curl.se/ca/cacert.pem | |||||
| echo | |||||
| outdated=$(git diff --name-only | grep "resources/config/ca-bundle.crt") | |||||
| if [ "${outdated}" = "resources/config/ca-bundle.crt" ]; then | |||||
| echo "CA bundle is not up to date." | |||||
| echo "Please run: bash build/ca-bundle-checker.sh" | |||||
| echo "And commit the result" | |||||
| exit 1 | |||||
| fi | |||||
| echo "CA bundle is up to date." | |||||
| exit 0 |
+ 1
- 0
build/ca-bundle-etag.txt
View File
| "3650d-5e41fd9674803" |
Loading…