diff options
| author | Joas Schilling <coding@schilljs.com> | 2024-01-19 16:17:52 +0100 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2024-01-22 08:57:40 +0100 |
| commit | 3f8e8d2cccdb668c86df680867d522b88da2edef (patch) | |
| tree | b7d200135db04a4a128bda1824800614caa660ef /.github | |
| parent | f0824db9c708a202acd4f9c9b5d07cdb4ac5b6bb (diff) | |
| download | nextcloud-server-3f8e8d2cccdb668c86df680867d522b88da2edef.tar.gz nextcloud-server-3f8e8d2cccdb668c86df680867d522b88da2edef.zip | |
feat(CI): Automatically update the root.crl from the appstore
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to '.github')
| -rw-r--r-- | .github/CODEOWNERS | 1 | ||||
| -rw-r--r-- | .github/workflows/update-code-signing-crl.yml | 45 |
2 files changed, 46 insertions, 0 deletions
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 041c962bddb..c19787d1eea 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -29,6 +29,7 @@ /apps/workflowengine/appinfo/info.xml @blizzz @juliushaertl # Security team +/resources/codesigning @mgallien @miaulalala @nickvergessen /resources/config/ca-bundle.crt @ChristophWurst @miaulalala @nickvergessen /.drone.yml @nickvergessen diff --git a/.github/workflows/update-code-signing-crl.yml b/.github/workflows/update-code-signing-crl.yml new file mode 100644 index 00000000000..91bf78a6190 --- /dev/null +++ b/.github/workflows/update-code-signing-crl.yml @@ -0,0 +1,45 @@ +name: Update code signing revocation list + +on: + workflow_dispatch: + schedule: + - cron: "5 2 * * *" + +jobs: + update-code-signing-crl: + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + branches: ["master", "stable28", "stable27", "stable26", "stable25", "stable24", "stable23", "stable22"] + + name: update-code-signing-crl-${{ matrix.branches }} + + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + with: + ref: ${{ matrix.branches }} + submodules: true + + - name: Download CRL file from Appstore repository + run: curl --output resources/codesigning/root.crl https://raw.githubusercontent.com/nextcloud/appstore/master/nextcloudappstore/certificate/nextcloud.crl + + - name: Verify CRL is from CRT + run: openssl crl -verify -in resources/codesigning/root.crl -CAfile resources/codesigning/root.crt -noout + + - name: Create Pull Request + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 + with: + token: ${{ secrets.COMMAND_BOT_PAT }} + commit-message: "fix(security): Update code signing revocation list" + committer: GitHub <noreply@github.com> + author: nextcloud-command <nextcloud-command@users.noreply.github.com> + signoff: true + branch: automated/noid/${{ matrix.branches }}-update-code-signing-crl + title: "[${{ matrix.branches }}] fix(security): Update code signing revocation list" + body: | + Auto-generated update of code signing revocation list from [Appstore](https://github.com/nextcloud/appstore/commits/master/nextcloudappstore/certificate/nextcloud.crl) + labels: | + dependencies + 3. to review |