|
| 1 | +name: Check for issues with signing certificates |
| 2 | + |
| 3 | +on: |
| 4 | + schedule: |
| 5 | + # run every 10 hours |
| 6 | + - cron: "0 */10 * * *" |
| 7 | + # workflow_dispatch event allows the workflow to be triggered manually. |
| 8 | + # This could be used to run an immediate check after updating certificate secrets. |
| 9 | + # See: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch |
| 10 | + workflow_dispatch: |
| 11 | + |
| 12 | +env: |
| 13 | + # Begin notifications when there are less than this many days remaining before expiration |
| 14 | + EXPIRATION_WARNING_PERIOD: 30 |
| 15 | + |
| 16 | +jobs: |
| 17 | + check-certificates: |
| 18 | + # This workflow would fail in forks that don't have the certificate secrets defined |
| 19 | + if: github.repository == 'arduino/arduino-cli' |
| 20 | + runs-on: ubuntu-latest |
| 21 | + |
| 22 | + strategy: |
| 23 | + fail-fast: false |
| 24 | + |
| 25 | + matrix: |
| 26 | + certificate: |
| 27 | + - identifier: macOS signing certificate # Text used to identify the certificate in notifications |
| 28 | + certificate-secret: INSTALLER_CERT_MAC_P12 # The name of the secret that contains the certificate |
| 29 | + password-secret: INSTALLER_CERT_MAC_PASSWORD # The name of the secret that contains the certificate password |
| 30 | + |
| 31 | + steps: |
| 32 | + - name: Set certificate path environment variable |
| 33 | + run: | |
| 34 | + # See: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable |
| 35 | + echo "CERTIFICATE_PATH=${{ runner.temp }}/certificate.p12" >> "$GITHUB_ENV" |
| 36 | + |
| 37 | + - name: Decode certificate |
| 38 | + env: |
| 39 | + CERTIFICATE: ${{ secrets[matrix.certificate.certificate-secret] }} |
| 40 | + run: | |
| 41 | + echo "${{ env.CERTIFICATE }}" | base64 --decode > "${{ env.CERTIFICATE_PATH }}" |
| 42 | + |
| 43 | + - name: Verify certificate |
| 44 | + env: |
| 45 | + CERTIFICATE_PASSWORD: ${{ secrets[matrix.certificate.password-secret] }} |
| 46 | + run: | |
| 47 | + ( |
| 48 | + openssl pkcs12 \ |
| 49 | + -in "${{ env.CERTIFICATE_PATH }}" \ |
| 50 | + -noout -passin env:CERTIFICATE_PASSWORD |
| 51 | + ) || ( |
| 52 | + echo "::error::Verification of ${{ matrix.certificate.identifier }} failed!!!" |
| 53 | + exit 1 |
| 54 | + ) |
| 55 | + |
| 56 | + # See: https://github.com/rtCamp/action-slack-notify |
| 57 | + - name: Slack notification of certificate verification failure |
| 58 | + if: failure() |
| 59 | + uses: rtCamp/action-slack-notify@v2.1.0 |
| 60 | + env: |
| 61 | + SLACK_WEBHOOK: ${{ secrets.TEAM_TOOLING_CHANNEL_SLACK_WEBHOOK }} |
| 62 | + SLACK_MESSAGE: | |
| 63 | + :warning::warning::warning::warning: |
| 64 | + WARNING: ${{ github.repository }} ${{ matrix.certificate.identifier }} verification failed!!! |
| 65 | + :warning::warning::warning::warning: |
| 66 | + SLACK_COLOR: danger |
| 67 | + MSG_MINIMAL: true |
| 68 | + |
| 69 | + - name: Get days remaining before certificate expiration date |
| 70 | + env: |
| 71 | + CERTIFICATE_PASSWORD: ${{ secrets[matrix.certificate.password-secret] }} |
| 72 | + id: get-days-before-expiration |
| 73 | + run: | |
| 74 | + EXPIRATION_DATE="$( |
| 75 | + ( |
| 76 | + openssl pkcs12 \ |
| 77 | + -in "${{ env.CERTIFICATE_PATH }}" \ |
| 78 | + -clcerts \ |
| 79 | + -nodes \ |
| 80 | + -passin env:CERTIFICATE_PASSWORD |
| 81 | + ) | ( |
| 82 | + openssl x509 \ |
| 83 | + -noout \ |
| 84 | + -enddate |
| 85 | + ) | ( |
| 86 | + grep \ |
| 87 | + --max-count=1 \ |
| 88 | + --only-matching \ |
| 89 | + --perl-regexp \ |
| 90 | + 'notAfter=(\K.*)' |
| 91 | + ) |
| 92 | + )" |
| 93 | + |
| 94 | + DAYS_BEFORE_EXPIRATION="$((($(date --utc --date="$EXPIRATION_DATE" +%s) - $(date --utc +%s)) / 60 / 60 / 24))" |
| 95 | + |
| 96 | + # Display the expiration information in the log |
| 97 | + echo "Certificate expiration date: $EXPIRATION_DATE" |
| 98 | + echo "Days remaining before expiration: $DAYS_BEFORE_EXPIRATION" |
| 99 | + |
| 100 | + echo "::set-output name=days::$DAYS_BEFORE_EXPIRATION" |
| 101 | + |
| 102 | + - name: Check if expiration notification period has been reached |
| 103 | + id: check-expiration |
| 104 | + run: | |
| 105 | + if [[ ${{ steps.get-days-before-expiration.outputs.days }} -lt ${{ env.EXPIRATION_WARNING_PERIOD }} ]]; then |
| 106 | + echo "::error::${{ matrix.certificate.identifier }} will expire in ${{ steps.get-days-before-expiration.outputs.days }} days!!!" |
| 107 | + exit 1 |
| 108 | + fi |
| 109 | + |
| 110 | + - name: Slack notification of pending certificate expiration |
| 111 | + # Don't send spurious expiration notification if verification fails |
| 112 | + if: failure() && steps.check-expiration.outcome == 'failure' |
| 113 | + uses: rtCamp/action-slack-notify@v2.1.0 |
| 114 | + env: |
| 115 | + SLACK_WEBHOOK: ${{ secrets.TEAM_TOOLING_CHANNEL_SLACK_WEBHOOK }} |
| 116 | + SLACK_MESSAGE: | |
| 117 | + :warning::warning::warning::warning: |
| 118 | + WARNING: ${{ github.repository }} ${{ matrix.certificate.identifier }} will expire in ${{ steps.get-days-before-expiration.outputs.days }} days!!! |
| 119 | + :warning::warning::warning::warning: |
| 120 | + SLACK_COLOR: danger |
| 121 | + MSG_MINIMAL: true |
0 commit comments