update-code-signing-crl.yml 1.8 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546
  1. name: Update code signing revocation list
  2. on:
  3. workflow_dispatch:
  4. schedule:
  5. - cron: "5 2 * * *"
  6. jobs:
  7. update-code-signing-crl:
  8. runs-on: ubuntu-latest
  9. strategy:
  10. fail-fast: false
  11. matrix:
  12. branches: ["master", "stable28", "stable27", "stable26", "stable25", "stable24", "stable23", "stable22"]
  13. name: update-code-signing-crl-${{ matrix.branches }}
  14. steps:
  15. - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
  16. with:
  17. ref: ${{ matrix.branches }}
  18. submodules: true
  19. - name: Download CRL file from Appstore repository
  20. run: curl --output resources/codesigning/root.crl https://raw.githubusercontent.com/nextcloud/appstore/master/nextcloudappstore/certificate/nextcloud.crl
  21. - name: Verify CRL is from CRT
  22. run: openssl crl -verify -in resources/codesigning/root.crl -CAfile resources/codesigning/root.crt -noout
  23. - name: Create Pull Request
  24. uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e
  25. with:
  26. token: ${{ secrets.COMMAND_BOT_PAT }}
  27. commit-message: "fix(security): Update code signing revocation list"
  28. committer: GitHub <noreply@github.com>
  29. author: nextcloud-command <nextcloud-command@users.noreply.github.com>
  30. signoff: true
  31. branch: automated/noid/${{ matrix.branches }}-update-code-signing-crl
  32. title: "[${{ matrix.branches }}] fix(security): Update code signing revocation list"
  33. body: |
  34. Auto-generated update of code signing revocation list from [Appstore](https://github.com/nextcloud/appstore/commits/master/nextcloudappstore/certificate/nextcloud.crl)
  35. labels: |
  36. dependencies
  37. 3. to review
  38. reviewers: mgallien, miaulalala, nickvergessen