-
-
Notifications
You must be signed in to change notification settings - Fork 18
99 lines (84 loc) · 3.67 KB
/
check-certificates.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
name: Check for issues with signing certificates
on:
schedule:
# run every 10 hours
- cron: "0 */10 * * *"
# workflow_dispatch event allows the workflow to be triggered manually.
# This could be used to run an immediate check after updating certificate secrets.
# See: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch
workflow_dispatch:
env:
# Begin notifications when there are less than this many days remaining before expiration
EXPIRATION_WARNING_PERIOD: 30
jobs:
get-certificates-list:
# This workflow would fail in forks that don't have the certificate secrets defined
if: github.repository == 'arduino/FirmwareUpdater'
runs-on: ubuntu-latest
outputs:
certificates: ${{ steps.get-files.outputs.certificates }}
steps:
- name: checkout
uses: actions/checkout@v2
- name: Set certificates path environment variable
run: |
# See: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
echo "FILES=\"$(ls ${{ github.workspace }}/certs/* | xargs | sed 's/ /","/g')\"" >> $GITHUB_ENV
- name: Get files list
id: get-files
run: |
JSON=$(echo '[${{ join(env.FILES) }}]' | jq -c '{"cert_file": .}')
echo "::set-output name=certificates::$JSON"
check-certificates:
# This workflow would fail in forks that don't have the certificate secrets defined
if: github.repository == 'arduino/FirmwareUpdater'
runs-on: ubuntu-latest
needs: get-certificates-list
strategy:
fail-fast: false
matrix: ${{fromJSON(needs.get-certificates-list.outputs.certificates)}}
steps:
- name: checkout
uses: actions/checkout@v2
- name: Get days remaining before certificate expiration date
id: get-days-before-expiration
run: |
EXPIRATION_DATE="$(
(
openssl x509 \
-inform der \
-in ${{ matrix.cert_file }} \
-enddate -noout
) | (
grep \
--max-count=1 \
--only-matching \
--perl-regexp \
'notAfter=(\K.*)'
)
)"
DAYS_BEFORE_EXPIRATION="$((($(date --utc --date="$EXPIRATION_DATE" +%s) - $(date --utc +%s)) / 60 / 60 / 24))"
# Display the expiration information in the log
echo "Certificate expiration date: $EXPIRATION_DATE"
echo "Days remaining before expiration: $DAYS_BEFORE_EXPIRATION"
echo "::set-output name=days::$DAYS_BEFORE_EXPIRATION"
- name: Check if expiration notification period has been reached
id: check-expiration
run: |
DAYS=${{ steps.get-days-before-expiration.outputs.days }}
if [[ $DAYS -lt ${{ env.EXPIRATION_WARNING_PERIOD }} ]]; then
echo "::error::${{ matrix.cert_file }} will expire in $DAYS days!!!"
exit 1
fi
- name: Slack notification of pending certificate expiration
# Don't send spurious expiration notification if verification fails
if: failure() && steps.check-expiration.outcome == 'failure'
uses: rtCamp/action-slack-notify@v2.1.0
env:
SLACK_WEBHOOK: ${{ secrets.TEAM_TOOLING_CHANNEL_SLACK_WEBHOOK }}
SLACK_MESSAGE: |
:warning::warning::warning::warning:
WARNING: ${{ github.repository }} ${{ matrix.cert_file }} will expire in ${{ steps.get-days-before-expiration.outputs.days }} days!!!
:warning::warning::warning::warning:
SLACK_COLOR: danger
MSG_MINIMAL: true