diff options
| -rw-r--r-- | .github/CODEOWNERS | 2 | ||||
| -rw-r--r-- | .github/workflows/update-cacert-bundle.yml | 42 | ||||
| -rwxr-xr-x | autotest-checkers.sh | 3 | ||||
| -rwxr-xr-x | build/ca-bundle-checker.sh | 21 | ||||
| -rw-r--r-- | build/ca-bundle-etag.txt | 1 |
5 files changed, 45 insertions, 24 deletions
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 587bda28bc1..7b32b340f53 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -15,3 +15,5 @@ /lib/private/Profiler @CarlSchwan /lib/public/Profiler @CarlSchwan +# Security team +resources/config/ca-bundle.crt @ChristophWurst @eneiluj @miaulalala @nickvergessen diff --git a/.github/workflows/update-cacert-bundle.yml b/.github/workflows/update-cacert-bundle.yml new file mode 100644 index 00000000000..f38e594f9b8 --- /dev/null +++ b/.github/workflows/update-cacert-bundle.yml @@ -0,0 +1,42 @@ +name: Update CA certificate bundle + +on: + workflow_dispatch: + schedule: + - cron: "5 4 * * *" + +jobs: + update-ca-certificate-bundle: + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + branches: ["master", "stable24", "stable23", "stable22"] + + name: update-ca-certificate-bundle-${{ matrix.branches }} + + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ matrix.branches }} + submodules: true + + - name: Download CA certificate bundle from curl + run: curl --etag-compare build/ca-bundle-etag.txt --etag-save build/ca-bundle-etag.txt --output resources/config/ca-bundle.crt https://curl.se/ca/cacert.pem + + - name: Create Pull Request + uses: peter-evans/create-pull-request@v3 + with: + token: ${{ secrets.COMMAND_BOT_PAT }} + commit-message: Update CA certificate bundle + committer: GitHub <noreply@github.com> + author: nextcloud-command <nextcloud-command@users.noreply.github.com> + signoff: true + branch: automated/noid/${{ matrix.branches }}-update-ca-cert-bundle + title: "[${{ matrix.branches }}] Update ca-cert bundle" + body: | + Auto-generated update of CA certificate bundle from [https://curl.se/docs/caextract.html](https://curl.se/docs/caextract.html) + labels: | + dependencies + 3. to review diff --git a/autotest-checkers.sh b/autotest-checkers.sh index a539b598ded..6abce428bc5 100755 --- a/autotest-checkers.sh +++ b/autotest-checkers.sh @@ -10,11 +10,8 @@ php ./build/triple-dot-checker.php RESULT=$(($RESULT+$?)) php ./build/htaccess-checker.php RESULT=$(($RESULT+$?)) -bash ./build/ca-bundle-checker.sh -RESULT=$(($RESULT+$?)) php ./build/OCPSinceChecker.php RESULT=$(($RESULT+$?)) - php ./build/files-checker.php RESULT=$(($RESULT+$?)) diff --git a/build/ca-bundle-checker.sh b/build/ca-bundle-checker.sh deleted file mode 100755 index 50d7b7916fa..00000000000 --- a/build/ca-bundle-checker.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env bash - -if [[ -n ${DRONE_SOURCE_BRANCH} && ! ${DRONE_SOURCE_BRANCH} =~ version(\/noid)?\/([0-9.]+) ]]; then - echo "Skip CA bundle check" - exit 0 -fi - -echo "Fetching latest ca-bundle.crt ..." -curl -o resources/config/ca-bundle.crt https://curl.se/ca/cacert.pem - -echo -outdated=$(git diff --name-only | grep "resources/config/ca-bundle.crt") -if [ "${outdated}" = "resources/config/ca-bundle.crt" ]; then - echo "CA bundle is not up to date." - echo "Please run: bash build/ca-bundle-checker.sh" - echo "And commit the result" - exit 1 -fi - -echo "CA bundle is up to date." -exit 0 diff --git a/build/ca-bundle-etag.txt b/build/ca-bundle-etag.txt new file mode 100644 index 00000000000..9ac8d4dcedc --- /dev/null +++ b/build/ca-bundle-etag.txt @@ -0,0 +1 @@ +"3650d-5e41fd9674803" |