Certificates #1232
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Certificates | |
on: | |
# Run every day at 4:20. | |
schedule: | |
- cron: '20 4 * * *' | |
# Run on every push to `stable` and `develop`. | |
# Not using path selection here as it appears only the files in the last commit from the push are looked at. | |
push: | |
branches: | |
- 'stable' | |
- 'develop' | |
# And whenever this workflow is updated or a PR attempts to update the certificate files. | |
pull_request: | |
paths: | |
- '.github/workflows/update-cacert.yml' | |
- 'certificates/cacert.pem' | |
- 'certificates/cacert.pem.sha256' | |
# Also allow manually triggering the workflow. | |
workflow_dispatch: | |
# Cancels all previous workflow runs for the same branch that have not yet completed. | |
concurrency: | |
# The concurrency group contains the workflow name and the branch name. | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
certificate-check: | |
name: "Check for updated certificate bundle" | |
# Don't run the cron job on forks. | |
if: ${{ github.event_name != 'schedule' || github.repository == 'WordPress/Requests' }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Determine branches to use | |
id: branches | |
env: | |
HEAD_REF: ${{ github.head_ref }} | |
PR_NUM: ${{ github.event.pull_request.number }} | |
run: | | |
if [[ "${{ github.event_name }}" == 'schedule' ]]; then | |
echo "BASE=develop" >> $GITHUB_OUTPUT | |
echo "PR_BRANCH=feature/auto-update-cacert" >> $GITHUB_OUTPUT | |
elif [[ "${{ github.event_name }}" == 'push' ]]; then | |
# Pull requests should always go to develop, even when triggered via a push to stable. | |
echo "BASE=develop" >> $GITHUB_OUTPUT | |
echo "PR_BRANCH=feature/auto-update-cacert" >> $GITHUB_OUTPUT | |
elif [[ $PR_NUM != '' ]]; then # = PR or manual (re-)run for a workflow triggered by a PR. | |
echo "BASE=$HEAD_REF" >> $GITHUB_OUTPUT | |
echo "PR_BRANCH=feature/auto-update-cacert-$PR_NUM" >> $GITHUB_OUTPUT | |
else # = manual run. | |
echo "BASE=$HEAD_REF" >> $GITHUB_OUTPUT | |
echo "PR_BRANCH=feature/auto-update-cacert-misc" >> $GITHUB_OUTPUT | |
fi | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Restore etags cache for certificate files | |
uses: actions/cache@v4 | |
with: | |
path: certificates/etag-*.txt | |
key: curl-etag-${{ hashFiles('certificates/cacert.pem') }}-${{ hashFiles('certificates/cacert.pem.sha256') }} | |
restore-keys: | | |
curl-etag- | |
- name: Get current certificate bundle if changed | |
working-directory: ./certificates | |
run: curl --etag-compare etag-cert.txt --etag-save etag-cert.txt --remote-name https://curl.se/ca/cacert.pem | |
- name: Get current SHA256 checksum file for the bundle if changed | |
working-directory: ./certificates | |
run: curl --etag-compare etag-sha.txt --etag-save etag-sha.txt --remote-name https://curl.se/ca/cacert.pem.sha256 | |
- name: Verify the checksum of the downloaded bundle | |
working-directory: ./certificates | |
run: sha256sum --check cacert.pem.sha256 | |
- name: "Debug info: Show git status" | |
run: git status -vv --untracked=all | |
# http://man7.org/linux/man-pages/man1/date.1.html | |
- name: "Get date" | |
id: get-date | |
run: echo "DATE=$(/bin/date -u "+%F")" >> $GITHUB_OUTPUT | |
- name: Create pull request | |
uses: peter-evans/create-pull-request@v7 | |
with: | |
base: ${{ steps.branches.outputs.BASE }} | |
branch: ${{ steps.branches.outputs.PR_BRANCH }} | |
delete-branch: true | |
sign-commits: true | |
commit-message: ":lock_with_ink_pen: Update certificate bundle" | |
title: ":lock_with_ink_pen: Update certificate bundle" | |
body: | | |
Updated certificate bundle, last verified on ${{ steps.get-date.outputs.DATE }}. | |
Source: https://curl.se/docs/caextract.html | |
This PR is auto-generated by [create-pull-request](https://github.com/peter-evans/create-pull-request) using the `.github/workflows/update-cacert.yml` workflow. | |
labels: | | |
Type: enhancement | |
reviewers: | | |
jrfnl | |
schlessera |