-
-
Notifications
You must be signed in to change notification settings - Fork 17
105 lines (91 loc) · 3.54 KB
/
check-certificates.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/check-certificates.md
name: Check Signing Certificates
# See: https://docs.github.com/en/actions/reference/events-that-trigger-workflows
on:
push:
paths:
- ".github/workflows/check-certificates.ya?ml"
- "certs/**"
pull_request:
paths:
- ".github/workflows/check-certificates.ya?ml"
- "certs/**"
schedule:
# Run every 10 hours.
- cron: "0 */10 * * *"
workflow_dispatch:
repository_dispatch:
env:
# Begin notifications when there are less than this many days remaining before expiration.
EXPIRATION_WARNING_PERIOD: 30
jobs:
get-certificates-list:
runs-on: ubuntu-latest
outputs:
certificates: ${{ steps.get-files.outputs.certificates }}
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Set certificates path environment variable
run: |
# See: https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
echo "FILES=\"$(ls ${{ github.workspace }}/certs/* | xargs | sed 's/ /","/g')\"" >> $GITHUB_ENV
- name: Get files list
id: get-files
run: |
JSON=$(echo '[${{ join(env.FILES) }}]' | jq -c '{"cert_file": .}')
echo "::set-output name=certificates::$JSON"
check-certificates:
name: ${{ matrix.cert_file }}
needs: get-certificates-list
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix: ${{fromJSON(needs.get-certificates-list.outputs.certificates)}}
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Get days remaining before certificate expiration date
id: get-days-before-expiration
run: |
EXPIRATION_DATE="$(
(
openssl x509 \
-inform der \
-in ${{ matrix.cert_file }} \
-enddate -noout
) | (
grep \
--max-count=1 \
--only-matching \
--perl-regexp \
'notAfter=(\K.*)'
)
)"
DAYS_BEFORE_EXPIRATION="$((($(date --utc --date="$EXPIRATION_DATE" +%s) - $(date --utc +%s)) / 60 / 60 / 24))"
# Display the expiration information in the log.
echo "Certificate expiration date: $EXPIRATION_DATE"
echo "Days remaining before expiration: $DAYS_BEFORE_EXPIRATION"
echo "::set-output name=days::$DAYS_BEFORE_EXPIRATION"
- name: Check if expiration notification period has been reached
id: check-expiration
run: |
DAYS=${{ steps.get-days-before-expiration.outputs.days }}
if [[ $DAYS -lt ${{ env.EXPIRATION_WARNING_PERIOD }} ]]; then
echo "::error::${{ matrix.cert_file }} will expire in $DAYS days!!!"
exit 1
fi
- name: Slack notification of pending certificate expiration
# Only run when the workflow will have access to the certificate secrets.
if: >
failure() &&
github.event_name == 'schedule'
env:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
SLACK_MESSAGE: |
:warning::warning::warning::warning:
WARNING: ${{ github.repository }} ${{ matrix.cert_file }} will expire in ${{ steps.get-days-before-expiration.outputs.days }} days!!!
:warning::warning::warning::warning:
SLACK_COLOR: danger
MSG_MINIMAL: true
uses: rtCamp/action-slack-notify@v2