Update CA Bundles #1079
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Update CA Bundles" | |
| on: | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| branches: ["main"] | |
| schedule: | |
| - cron: "18 18 * * *" | |
| workflow_dispatch: | |
| permissions: | |
| packages: read | |
| contents: write | |
| jobs: | |
| update: | |
| name: "Update" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Generate Tag Name | |
| id: tag_name | |
| run: | | |
| echo "TAG_NAME=$(date +'bundle_%Y%m%d')" >> $GITHUB_ENV | |
| - name: Checkout Source | |
| id: checkout | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #pin v6.0.1 | |
| - name: Update CA Bundles | |
| id: update_bundles | |
| uses: docker://ghcr.io/tls-inspector/rootca:latest | |
| env: | |
| ROOTCA_SIGNING_PRIVATE_KEY: ${{ secrets.ROOTCA_SIGNING_PRIVATE_KEY }} | |
| ROOTCA_SIGNING_PUBLIC_KEY: ${{ vars.ROOTCA_SIGNING_PUBLIC_KEY }} | |
| GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Commit Changes | |
| id: commit | |
| run: | | |
| HAS_CHANGES=$(if [[ $(git status --porcelain) == '' ]]; then echo 'false'; else echo 'true'; fi) | |
| if [[ $HAS_CHANGES == 'false' ]]; then | |
| echo "::notice ::No changes detected" | |
| echo "needs_release=false" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| echo "::notice ::Bundle changes detected" | |
| git status | |
| git config user.email "ian@ecnepsnai.com" | |
| git config user.name "Ian Spence" | |
| git commit -a -m "[Actions] Update CA Bundles" | |
| git tag -a "${{ env.TAG_NAME}}" -m "${{ env.TAG_NAME}}" | |
| git push | |
| git push --tags | |
| echo "needs_release=true" >> $GITHUB_OUTPUT | |
| - name: Make Release If Needed | |
| id: release | |
| if: steps.commit.outputs.needs_release == 'true' | |
| run: | | |
| gh release create -n "Automatic CA bundle update" -t "${{ env.TAG_NAME}} - CA Bundles" ${{ env.TAG_NAME}} bundles/bundle_metadata.json bundles/bundle_metadata.json.sig bundles/apple_ca_bundle.p7b bundles/apple_ca_bundle.p7b.sig bundles/apple_ca_bundle.pem bundles/apple_ca_bundle.pem.sig bundles/google_ca_bundle.p7b bundles/google_ca_bundle.p7b.sig bundles/google_ca_bundle.pem bundles/google_ca_bundle.pem.sig bundles/microsoft_ca_bundle.p7b bundles/microsoft_ca_bundle.p7b.sig bundles/microsoft_ca_bundle.pem bundles/microsoft_ca_bundle.pem.sig bundles/mozilla_ca_bundle.p7b bundles/mozilla_ca_bundle.p7b.sig bundles/mozilla_ca_bundle.pem bundles/mozilla_ca_bundle.pem.sig bundles/tlsinspector_ca_bundle.p7b bundles/tlsinspector_ca_bundle.p7b.sig bundles/tlsinspector_ca_bundle.pem bundles/tlsinspector_ca_bundle.pem.sig bundles/signing_key.pem bundles/certificates.csv | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| - name: Clear Cache | |
| id: clear_cache | |
| if: steps.commit.outputs.needs_release == 'true' | |
| run: | | |
| curl -A 'github.com/tls-inspector/rootca' -X DELETE -u '${{ secrets.ROOTCA_API_USERNAME }}:${{ secrets.ROOTCA_API_PASSWORD }}' https://api.tlsinspector.com/rootca/latest |