Added secrets check and missing secret (#33)

ToreMerkely · web-flow · commit e7e966ef6cb3 · 2025-05-08T11:55:57.000+02:00
diff --git a/.github/workflows/secret-expire-check.yml b/.github/workflows/secret-expire-check.yml
@@ -0,0 +1,38 @@
+name: Daily Check to see if any secrets will expire soon
+
+on:
+  workflow_dispatch:
+  schedule: # At 04:00 every morning
+    - cron: '0 04 * * *'
+
+
+jobs:
+  secret-expire-check:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run check if any secrets will expire within next month
+        id: secrete-expire-check-month
+        run: |
+          ./bin/check_secret_expire.sh $(date -d "+1 month" +"%Y-%m-%d")
+
+      - name: Slack Notification on Failure
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_CHANNEL: secret-expire
+          SLACK_WEBHOOK: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }}
+          SLACK_USERNAME: GithubActions
+          SLACK_COLOR: ${{ job.status }}
+          SLACKIFY_MARKDOWN: true
+          SLACK_TITLE: Secret has expired
+          SLACK_MESSAGE: "Some secrets in `github-release-example` is about to or has expired. Please check the \
+              [log](${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }}) \
+              for more details."
+          SLACK_FOOTER:
diff --git a/bin/check_secret_expire.sh b/bin/check_secret_expire.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeu
+
+SCRIPT_NAME=check_secret_expire.sh
+ROOT_DIR=$(dirname $(readlink -f $0))/..
+NOW_DATE=$(date +%Y-%m-%d)
+
+print_help()
+{
+    cat <<EOF
+Usage: $SCRIPT_NAME <options> [yyyy-mm-dd]
+
+Will search all txt-files in secrets directory to see if any of them
+has a secret that has expired. You can specify a date if you want to
+know if something expires in the future
+
+Options are:
+  -h          Print this help menu
+EOF
+}
+
+check_arguments()
+{
+    while getopts "h" opt; do
+        case $opt in
+            h)
+                print_help
+                exit 1
+                ;;
+            \?)
+                echo "Invalid option: -$OPTARG" >&2
+                exit 1
+                ;;
+        esac
+    done
+
+    # Remove options from command line
+    shift $((OPTIND-1))
+
+    if [ $# -eq 1 ]; then
+        NOW_DATE=$1; shift
+    fi
+}
+
+echo_if_secret_expired()
+{
+    local file=$1; shift
+    local now_date=$1; shift
+    local expire_date now_sec expire_sec
+    expire_date=$(grep "secret-expire:" ${file} | sed "s/secret-expire: *//")
+
+    if [[ ! "${now_date}" < "${expire_date}" ]]; then
+        grep "secret-name:" ${file} | sed "s/secret-name: */  /" | tr '\n' ' '
+        grep "secret-expire:" ${file}
+        return 1
+    fi
+    return 0
+}
+
+main()
+{
+    check_arguments "$@"
+    local file
+    local result=0
+    echo "The following is a list of secrets in 'secrets/*txt' which will have expired on ${NOW_DATE}"
+    for file in ${ROOT_DIR}/secrets/*txt; do
+        echo_if_secret_expired ${file} ${NOW_DATE} || result=1
+    done
+    return $result
+}
+
+main "$@"
diff --git a/secrets/gh-repo-kosli-public-api-token.txt b/secrets/gh-repo-kosli-public-api-token.txt
@@ -0,0 +1,15 @@
+secret-name: KOSLI_PUBLIC_API_TOKEN
+secret-expire: 2026-04-06
+secret-updated: 2025-04-06
+secret-updated-by: tore
+secret-type: gh-repo
+is-secret: true
+secret-usage: Secret used to report github release example builds to
+https://app.kosli.com/kosli-public
+
+update-instructions:
+Get new API key from https://app.kosli.com/kosli-public/settings/service-accounts#github-release-example
+This is the api-key for the github-release-exampl.
+
+Go to https://github.com/kosli-dev/github-release-example/settings/secrets/actions
+under <Repository secrets>
