diff options
author | Joas Schilling <coding@schilljs.com> | 2022-09-16 09:13:45 +0200 |
---|---|---|
committer | Joas Schilling <coding@schilljs.com> | 2022-09-16 09:13:45 +0200 |
commit | 9eade34385b6b23a9e9d3e4f5885458ca706af62 (patch) | |
tree | 6700189691c1ec4edafe0fa753ad21cbd1edd95a | |
parent | 6bd6f92850a971bc61e5109f192dcfa9ba806255 (diff) | |
download | nextcloud-server-9eade34385b6b23a9e9d3e4f5885458ca706af62.tar.gz nextcloud-server-9eade34385b6b23a9e9d3e4f5885458ca706af62.zip |
Automate CA certificate bundle update
Signed-off-by: Joas Schilling <coding@schilljs.com>
-rw-r--r-- | .github/CODEOWNERS | 2 | ||||
-rw-r--r-- | .github/workflows/update-cacert-bundle.yml | 47 | ||||
-rw-r--r-- | build/ca-bundle-etag.txt | 1 |
3 files changed, 50 insertions, 0 deletions
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 587bda28bc1..7b32b340f53 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -15,3 +15,5 @@ /lib/private/Profiler @CarlSchwan /lib/public/Profiler @CarlSchwan +# Security team +resources/config/ca-bundle.crt @ChristophWurst @eneiluj @miaulalala @nickvergessen diff --git a/.github/workflows/update-cacert-bundle.yml b/.github/workflows/update-cacert-bundle.yml new file mode 100644 index 00000000000..19d0018ed7f --- /dev/null +++ b/.github/workflows/update-cacert-bundle.yml @@ -0,0 +1,47 @@ +# This workflow is provided via the organization template repository +# +# https://github.com/nextcloud/.github +# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization + +name: Update CA certificate bundle + +on: + workflow_dispatch: + schedule: + - cron: "5 4 * * *" + +jobs: + update-ca-certificate-bundle: + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + branches: ["master", "stable24", "stable23", "stable22"] + + name: update-ca-certificate-bundle-${{ matrix.branches }} + + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ matrix.branches }} + submodules: true + + - name: Download CA certificate bundle from curl + run: curl --etag-compare build/ca-bundle-etag.txt --etag-save build/ca-bundle-etag.txt --output resources/config/ca-bundle.crt https://curl.se/ca/cacert.pem + + - name: Create Pull Request + uses: peter-evans/create-pull-request@v3 + with: + token: ${{ secrets.COMMAND_BOT_PAT }} + commit-message: Update CA certificate bundle + committer: GitHub <noreply@github.com> + author: nextcloud-command <nextcloud-command@users.noreply.github.com> + signoff: true + branch: automated/noid/${{ matrix.branches }}-update-ca-cert-bundle + title: "[${{ matrix.branches }}] Update ca-cert bundle" + body: | + Auto-generated update of CA certificate bundle from [https://curl.se/docs/caextract.html](https://curl.se/docs/caextract.html) + labels: | + dependencies + 3. to review diff --git a/build/ca-bundle-etag.txt b/build/ca-bundle-etag.txt new file mode 100644 index 00000000000..9ac8d4dcedc --- /dev/null +++ b/build/ca-bundle-etag.txt @@ -0,0 +1 @@ +"3650d-5e41fd9674803" |