Update CA Bundles #728
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Update CA Bundles" | |
| on: | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| branches: ["main"] | |
| schedule: | |
| - cron: "18 18 * * *" | |
| workflow_dispatch: | |
| permissions: | |
| packages: read | |
| contents: write | |
| jobs: | |
| update: | |
| name: "Update" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Generate Tag Name | |
| id: tag_name | |
| run: | | |
| echo "TAG_NAME=$(date +'bundle_%Y%m%d')" >> $GITHUB_ENV | |
| - name: Checkout Source | |
| id: checkout | |
| uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #pin v4.2.0 | |
| - name: Update CA Bundles | |
| id: update_bundles | |
| uses: docker://ghcr.io/tls-inspector/rootca:latest | |
| env: | |
| ROOTCA_SIGNING_PRIVATE_KEY: ${{ secrets.ROOTCA_SIGNING_PRIVATE_KEY }} | |
| ROOTCA_SIGNING_PUBLIC_KEY: ${{ vars.ROOTCA_SIGNING_PUBLIC_KEY }} | |
| GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Commit Changes | |
| id: commit | |
| run: | | |
| HAS_CHANGES=$(if [[ $(git status --porcelain) == '' ]]; then echo 'false'; else echo 'true'; fi) | |
| if [[ $HAS_CHANGES == 'false' ]]; then | |
| echo "::notice ::No changes detected" | |
| echo "needs_release=false" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| echo "::notice ::Bundle changes detected" | |
| git status | |
| git config user.email "[email protected]" | |
| git config user.name "Ian Spence" | |
| git commit -a -m "[Actions] Update CA Bundles" | |
| git tag -a "${{ env.TAG_NAME}}" -m "${{ env.TAG_NAME}}" | |
| git push | |
| git push --tags | |
| echo "needs_release=true" >> $GITHUB_OUTPUT | |
| - name: Make Release If Needed | |
| id: release | |
| if: steps.commit.outputs.needs_release == 'true' | |
| run: | | |
| gh release create -n "Automatic CA bundle update" -t "${{ env.TAG_NAME}} - CA Bundles" ${{ env.TAG_NAME}} bundles/bundle_metadata.json bundles/bundle_metadata.json.sig bundles/apple_ca_bundle.p7b bundles/apple_ca_bundle.p7b.sig bundles/apple_ca_bundle.pem bundles/apple_ca_bundle.pem.sig bundles/google_ca_bundle.p7b bundles/google_ca_bundle.p7b.sig bundles/google_ca_bundle.pem bundles/google_ca_bundle.pem.sig bundles/microsoft_ca_bundle.p7b bundles/microsoft_ca_bundle.p7b.sig bundles/microsoft_ca_bundle.pem bundles/microsoft_ca_bundle.pem.sig bundles/mozilla_ca_bundle.p7b bundles/mozilla_ca_bundle.p7b.sig bundles/mozilla_ca_bundle.pem bundles/mozilla_ca_bundle.pem.sig bundles/tlsinspector_ca_bundle.p7b bundles/tlsinspector_ca_bundle.p7b.sig bundles/tlsinspector_ca_bundle.pem bundles/tlsinspector_ca_bundle.pem.sig bundles/signing_key.pem bundles/certificates.csv | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| - name: Clear Cache | |
| id: clear_cache | |
| if: steps.commit.outputs.needs_release == 'true' | |
| run: | | |
| curl -X DELETE -u '${{ secrets.ROOTCA_API_USERNAME }}:${{ secrets.ROOTCA_API_PASSWORD }}' https://api.tlsinspector.com/rootca/latest |