update-code-signing-crl.yml 1.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748
  1. # SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
  2. # SPDX-License-Identifier: MIT
  3. name: Update code signing revocation list
  4. on:
  5. workflow_dispatch:
  6. schedule:
  7. - cron: "5 2 * * *"
  8. jobs:
  9. update-code-signing-crl:
  10. runs-on: ubuntu-latest
  11. strategy:
  12. fail-fast: false
  13. matrix:
  14. branches: ['master', 'stable29', 'stable28', 'stable27', 'stable26', 'stable25', 'stable24', 'stable23', 'stable22']
  15. name: update-code-signing-crl-${{ matrix.branches }}
  16. steps:
  17. - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
  18. with:
  19. ref: ${{ matrix.branches }}
  20. submodules: true
  21. - name: Download CRL file from Appstore repository
  22. run: curl --output resources/codesigning/root.crl https://raw.githubusercontent.com/nextcloud/appstore/master/nextcloudappstore/certificate/nextcloud.crl
  23. - name: Verify CRL is from CRT
  24. run: openssl crl -verify -in resources/codesigning/root.crl -CAfile resources/codesigning/root.crt -noout
  25. - name: Create Pull Request
  26. uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e
  27. with:
  28. token: ${{ secrets.COMMAND_BOT_PAT }}
  29. commit-message: 'fix(security): Update code signing revocation list'
  30. committer: GitHub <noreply@github.com>
  31. author: nextcloud-command <nextcloud-command@users.noreply.github.com>
  32. signoff: true
  33. branch: 'automated/noid/${{ matrix.branches }}-update-code-signing-crl'
  34. title: '[${{ matrix.branches }}] fix(security): Update code signing revocation list'
  35. body: |
  36. Auto-generated update of code signing revocation list from [Appstore](https://github.com/nextcloud/appstore/commits/master/nextcloudappstore/certificate/nextcloud.crl)
  37. labels: |
  38. dependencies
  39. 3. to review
  40. reviewers: mgallien, miaulalala, nickvergessen