diff options
| author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2024-01-22 12:41:47 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-22 12:41:47 +0100 |
| commit | 1891ae121d80758ffaf537dd4d4fffbaed3eef00 (patch) | |
| tree | 133db1d0bd645fc60041e67ec7427230d5bb0090 | |
| parent | aeb5047c469dc3d043880d9070cd0b516cfddbe1 (diff) | |
| parent | 3f8e8d2cccdb668c86df680867d522b88da2edef (diff) | |
| download | nextcloud-server-1891ae121d80758ffaf537dd4d4fffbaed3eef00.tar.gz nextcloud-server-1891ae121d80758ffaf537dd4d4fffbaed3eef00.zip | |
Merge pull request #42965 from nextcloud/feat/noid/autoupdate-root-crl
feat(CI): Automatically update the root.crl from the appstore
| -rw-r--r-- | .github/CODEOWNERS | 1 | ||||
| -rw-r--r-- | .github/workflows/update-code-signing-crl.yml | 45 |
2 files changed, 46 insertions, 0 deletions
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 041c962bddb..c19787d1eea 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -29,6 +29,7 @@ /apps/workflowengine/appinfo/info.xml @blizzz @juliushaertl # Security team +/resources/codesigning @mgallien @miaulalala @nickvergessen /resources/config/ca-bundle.crt @ChristophWurst @miaulalala @nickvergessen /.drone.yml @nickvergessen diff --git a/.github/workflows/update-code-signing-crl.yml b/.github/workflows/update-code-signing-crl.yml new file mode 100644 index 00000000000..91bf78a6190 --- /dev/null +++ b/.github/workflows/update-code-signing-crl.yml @@ -0,0 +1,45 @@ +name: Update code signing revocation list + +on: + workflow_dispatch: + schedule: + - cron: "5 2 * * *" + +jobs: + update-code-signing-crl: + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + branches: ["master", "stable28", "stable27", "stable26", "stable25", "stable24", "stable23", "stable22"] + + name: update-code-signing-crl-${{ matrix.branches }} + + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + with: + ref: ${{ matrix.branches }} + submodules: true + + - name: Download CRL file from Appstore repository + run: curl --output resources/codesigning/root.crl https://raw.githubusercontent.com/nextcloud/appstore/master/nextcloudappstore/certificate/nextcloud.crl + + - name: Verify CRL is from CRT + run: openssl crl -verify -in resources/codesigning/root.crl -CAfile resources/codesigning/root.crt -noout + + - name: Create Pull Request + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 + with: + token: ${{ secrets.COMMAND_BOT_PAT }} + commit-message: "fix(security): Update code signing revocation list" + committer: GitHub <noreply@github.com> + author: nextcloud-command <nextcloud-command@users.noreply.github.com> + signoff: true + branch: automated/noid/${{ matrix.branches }}-update-code-signing-crl + title: "[${{ matrix.branches }}] fix(security): Update code signing revocation list" + body: | + Auto-generated update of code signing revocation list from [Appstore](https://github.com/nextcloud/appstore/commits/master/nextcloudappstore/certificate/nextcloud.crl) + labels: | + dependencies + 3. to review |