From 9eade34385b6b23a9e9d3e4f5885458ca706af62 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Fri, 16 Sep 2022 09:13:45 +0200 Subject: Automate CA certificate bundle update Signed-off-by: Joas Schilling --- .github/CODEOWNERS | 2 ++ .github/workflows/update-cacert-bundle.yml | 47 ++++++++++++++++++++++++++++++ build/ca-bundle-etag.txt | 1 + 3 files changed, 50 insertions(+) create mode 100644 .github/workflows/update-cacert-bundle.yml create mode 100644 build/ca-bundle-etag.txt diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 587bda28bc1..7b32b340f53 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -15,3 +15,5 @@ /lib/private/Profiler @CarlSchwan /lib/public/Profiler @CarlSchwan +# Security team +resources/config/ca-bundle.crt @ChristophWurst @eneiluj @miaulalala @nickvergessen diff --git a/.github/workflows/update-cacert-bundle.yml b/.github/workflows/update-cacert-bundle.yml new file mode 100644 index 00000000000..19d0018ed7f --- /dev/null +++ b/.github/workflows/update-cacert-bundle.yml @@ -0,0 +1,47 @@ +# This workflow is provided via the organization template repository +# +# https://github.com/nextcloud/.github +# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization + +name: Update CA certificate bundle + +on: + workflow_dispatch: + schedule: + - cron: "5 4 * * *" + +jobs: + update-ca-certificate-bundle: + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + branches: ["master", "stable24", "stable23", "stable22"] + + name: update-ca-certificate-bundle-${{ matrix.branches }} + + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ matrix.branches }} + submodules: true + + - name: Download CA certificate bundle from curl + run: curl --etag-compare build/ca-bundle-etag.txt --etag-save build/ca-bundle-etag.txt --output resources/config/ca-bundle.crt https://curl.se/ca/cacert.pem + + - name: Create Pull Request + uses: peter-evans/create-pull-request@v3 + with: + token: ${{ secrets.COMMAND_BOT_PAT }} + commit-message: Update CA certificate bundle + committer: GitHub + author: nextcloud-command + signoff: true + branch: automated/noid/${{ matrix.branches }}-update-ca-cert-bundle + title: "[${{ matrix.branches }}] Update ca-cert bundle" + body: | + Auto-generated update of CA certificate bundle from [https://curl.se/docs/caextract.html](https://curl.se/docs/caextract.html) + labels: | + dependencies + 3. to review diff --git a/build/ca-bundle-etag.txt b/build/ca-bundle-etag.txt new file mode 100644 index 00000000000..9ac8d4dcedc --- /dev/null +++ b/build/ca-bundle-etag.txt @@ -0,0 +1 @@ +"3650d-5e41fd9674803" -- cgit v1.2.3