Update cacert.pem certificate bundle #89
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Originally from: | |
# https://github.com/Slicer/Slicer/blob/main/.github/workflows/update-slicer-certificate-bundle.yml | |
# Author: Jean-Christophe Fillion-Robin <[email protected]> | |
# Date: Tue Sep 14 18:32:49 2021 -0400 - Wed Mar 16 02:45:45 2022 -0400 | |
name: Update cacert.pem certificate bundle | |
on: | |
schedule: | |
# Every tuesday at 11.30am UTC (7.30am ET) | |
- cron: "30 11 * * 2" | |
workflow_dispatch: | |
jobs: | |
update-cacert-pem-certificate-bundle: | |
name: Update cacert.pem certificate bundle | |
runs-on: ubuntu-latest | |
env: | |
CERTDATA_OWNER: mozilla | |
CERTDATA_REPO: gecko-dev | |
CERTDATA_PATH: security/nss/lib/ckfw/builtins/certdata.txt | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Get sha and canonical download url for latest version of certdata.txt file | |
id: latest_certdata | |
run: | | |
sha=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
"https://api.github.com/repos/${{ env.CERTDATA_OWNER }}/${{ env.CERTDATA_REPO }}/commits?path=${{ env.CERTDATA_PATH }}&sha=master&per_page=1" | jq ".[0] | .sha" -r) | |
echo "::set-output name=sha::${sha}" | |
authordate=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
"https://api.github.com/repos/${{ env.CERTDATA_OWNER }}/${{ env.CERTDATA_REPO }}/commits?path=${{ env.CERTDATA_PATH }}&sha=master&per_page=1" | \ | |
jq ".[0] | .commit.author.date" -r | cut -f 1 -d T) | |
echo "::set-output name=authordate::${authordate}" | |
download_url="https://github.com/${{ env.CERTDATA_OWNER }}/${{ env.CERTDATA_REPO }}/blob/${sha}/${{ env.CERTDATA_PATH }}?raw=true" | |
echo "::set-output name=download_url::${download_url}" | |
- name: Download certdata.txt from https://github.com/mozilla/gecko-dev | |
run: | | |
cd packages/security/openssl/cert && | |
curl -L# -o certdata.txt ${{ steps.latest_certdata.outputs.download_url }} && | |
curl -L# -o mk-ca-bundle.pl https://raw.githubusercontent.com/curl/curl/master/scripts/mk-ca-bundle.pl && | |
chmod 755 mk-ca-bundle.pl | |
- name: Generate cacert.pem | |
run: | | |
cd packages/security/openssl/cert && | |
./mk-ca-bundle.pl -n cacert.pem | |
- name: Cleanup | |
run: | | |
cd packages/security/openssl/cert && | |
rm certdata.txt mk-ca-bundle.pl | |
- name: Get SHA of the branch that triggered the workflow run | |
id: head_branch | |
run: | | |
sha=$(git rev-parse ${{ github.ref }}) | |
echo "::set-output name=sha::${sha}" | |
- name: Create Pull Request | |
id: cpr | |
uses: peter-evans/create-pull-request@v4 | |
with: | |
token: ${{ secrets.LIBREELECBOT_GITHUB_TOKEN }} | |
commit-message: | | |
cacert.pem: update to ${{ steps.latest_certdata.outputs.authordate }} | |
This commit updates cacert.pem certificate bundle with [mk-ca-bundle.pl][1] script using the | |
content of [certdata][2] associated with ${{ env.CERTDATA_OWNER }}/${{ env.CERTDATA_REPO }}@${{ steps.latest_certdata.outputs.sha }}, | |
It was auto-generated by the [update-cacert-pem-certificate-bundle][3] GitHub action workflow. | |
[1]: https://github.com/curl/curl/blob/master/scripts/mk-ca-bundle.pl | |
[2]: ${{ steps.latest_certdata.outputs.download_url }} | |
[3]: https://github.com/${{ github.repository }}/blob/${{ steps.head_branch.outputs.sha }}/.github/workflows/update-cacert-pem-certificate-bundle.yml | |
committer: Rudi Heitbaum <[email protected]> | |
author: Rudi Heitbaum <[email protected]> | |
reviewers: Rudi Heitbaum <[email protected]> | |
labels: 'github-action' | |
signoff: false | |
#branch: bot/update-cacert-pem | |
#push-to-fork | |
branch-suffix: short-commit-hash | |
delete-branch: true | |
title: "cacert.pem CA bundle: update to ${{ steps.latest_certdata.outputs.authordate }}" | |
body: | | |
This pull-request was auto-generated by the [update-cacert-pem-certificate-bundle][1] GitHub action workflow. | |
[1]: https://github.com/${{ github.repository }}/blob/${{ steps.head_branch.outputs.sha }}/.github/workflows/update-cacert-pem-certificate-bundle.yml | |
draft: false | |
add-paths: | | |
packages/security/openssl/cert/cacert.pem |