summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoas Schilling <coding@schilljs.com>2022-09-16 09:13:45 +0200
committerJoas Schilling <coding@schilljs.com>2022-09-16 09:13:45 +0200
commit9eade34385b6b23a9e9d3e4f5885458ca706af62 (patch)
tree6700189691c1ec4edafe0fa753ad21cbd1edd95a
parent6bd6f92850a971bc61e5109f192dcfa9ba806255 (diff)
downloadnextcloud-server-9eade34385b6b23a9e9d3e4f5885458ca706af62.tar.gz
nextcloud-server-9eade34385b6b23a9e9d3e4f5885458ca706af62.zip
Automate CA certificate bundle update
Signed-off-by: Joas Schilling <coding@schilljs.com>
-rw-r--r--.github/CODEOWNERS2
-rw-r--r--.github/workflows/update-cacert-bundle.yml47
-rw-r--r--build/ca-bundle-etag.txt1
3 files changed, 50 insertions, 0 deletions
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 587bda28bc1..7b32b340f53 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -15,3 +15,5 @@
/lib/private/Profiler @CarlSchwan
/lib/public/Profiler @CarlSchwan
+# Security team
+resources/config/ca-bundle.crt @ChristophWurst @eneiluj @miaulalala @nickvergessen
diff --git a/.github/workflows/update-cacert-bundle.yml b/.github/workflows/update-cacert-bundle.yml
new file mode 100644
index 00000000000..19d0018ed7f
--- /dev/null
+++ b/.github/workflows/update-cacert-bundle.yml
@@ -0,0 +1,47 @@
+# This workflow is provided via the organization template repository
+#
+# https://github.com/nextcloud/.github
+# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
+
+name: Update CA certificate bundle
+
+on:
+ workflow_dispatch:
+ schedule:
+ - cron: "5 4 * * *"
+
+jobs:
+ update-ca-certificate-bundle:
+ runs-on: ubuntu-latest
+
+ strategy:
+ fail-fast: false
+ matrix:
+ branches: ["master", "stable24", "stable23", "stable22"]
+
+ name: update-ca-certificate-bundle-${{ matrix.branches }}
+
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ ref: ${{ matrix.branches }}
+ submodules: true
+
+ - name: Download CA certificate bundle from curl
+ run: curl --etag-compare build/ca-bundle-etag.txt --etag-save build/ca-bundle-etag.txt --output resources/config/ca-bundle.crt https://curl.se/ca/cacert.pem
+
+ - name: Create Pull Request
+ uses: peter-evans/create-pull-request@v3
+ with:
+ token: ${{ secrets.COMMAND_BOT_PAT }}
+ commit-message: Update CA certificate bundle
+ committer: GitHub <noreply@github.com>
+ author: nextcloud-command <nextcloud-command@users.noreply.github.com>
+ signoff: true
+ branch: automated/noid/${{ matrix.branches }}-update-ca-cert-bundle
+ title: "[${{ matrix.branches }}] Update ca-cert bundle"
+ body: |
+ Auto-generated update of CA certificate bundle from [https://curl.se/docs/caextract.html](https://curl.se/docs/caextract.html)
+ labels: |
+ dependencies
+ 3. to review
diff --git a/build/ca-bundle-etag.txt b/build/ca-bundle-etag.txt
new file mode 100644
index 00000000000..9ac8d4dcedc
--- /dev/null
+++ b/build/ca-bundle-etag.txt
@@ -0,0 +1 @@
+"3650d-5e41fd9674803"