Skip to content

Certificates

Certificates #786

Workflow file for this run

name: Certificates
on:
# Run every day at 4:20.
schedule:
- cron: '20 4 * * *'
# Run on every push to `stable` and `develop`.
# Not using path selection here as it appears only the files in the last commit from the push are looked at.
push:
branches:
- 'stable'
- 'develop'
# And whenever this workflow is updated or a PR attempts to update the certificate files.
pull_request:
paths:
- '.github/workflows/update-cacert.yml'
- 'certificates/cacert.pem'
- 'certificates/cacert.pem.sha256'
# Also allow manually triggering the workflow.
workflow_dispatch:
# Cancels all previous workflow runs for the same branch that have not yet completed.
concurrency:
# The concurrency group contains the workflow name and the branch name.
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
certificate-check:
name: "Check for updated certificate bundle"
# Don't run the cron job on forks.
if: ${{ github.event_name != 'schedule' || github.repository == 'WordPress/Requests' }}
runs-on: ubuntu-latest
steps:
- name: Determine branches to use
id: branches
env:
HEAD_REF: ${{ github.head_ref }}
PR_NUM: ${{ github.event.pull_request.number }}
run: |
if [[ "${{ github.event_name }}" == 'schedule' ]]; then
echo "BASE=develop" >> $GITHUB_OUTPUT
echo "PR_BRANCH=feature/auto-update-cacert" >> $GITHUB_OUTPUT
elif [[ "${{ github.event_name }}" == 'push' ]]; then
# Pull requests should always go to develop, even when triggered via a push to stable.
echo "BASE=develop" >> $GITHUB_OUTPUT
echo "PR_BRANCH=feature/auto-update-cacert" >> $GITHUB_OUTPUT
elif [[ $PR_NUM != '' ]]; then # = PR or manual (re-)run for a workflow triggered by a PR.
echo "BASE=$HEAD_REF" >> $GITHUB_OUTPUT
echo "PR_BRANCH=feature/auto-update-cacert-$PR_NUM" >> $GITHUB_OUTPUT
else # = manual run.
echo "BASE=$HEAD_REF" >> $GITHUB_OUTPUT
echo "PR_BRANCH=feature/auto-update-cacert-misc" >> $GITHUB_OUTPUT
fi
- name: Checkout code
uses: actions/checkout@v4
- name: Restore etags cache for certificate files
uses: actions/cache@v3
with:
path: certificates/etag-*.txt
key: curl-etag-${{ hashFiles('certificates/cacert.pem') }}-${{ hashFiles('certificates/cacert.pem.sha256') }}
restore-keys: |
curl-etag-
- name: Get current certificate bundle if changed
working-directory: ./certificates
run: curl --etag-compare etag-cert.txt --etag-save etag-cert.txt --remote-name https://curl.se/ca/cacert.pem
- name: Get current SHA256 checksum file for the bundle if changed
working-directory: ./certificates
run: curl --etag-compare etag-sha.txt --etag-save etag-sha.txt --remote-name https://curl.se/ca/cacert.pem.sha256
- name: Verify the checksum of the downloaded bundle
working-directory: ./certificates
run: sha256sum --check cacert.pem.sha256
- name: "Debug info: Show git status"
run: git status -vv --untracked=all
# http://man7.org/linux/man-pages/man1/date.1.html
- name: "Get date"
id: get-date
run: echo "DATE=$(/bin/date -u "+%F")" >> $GITHUB_OUTPUT
- name: Create pull request
uses: peter-evans/create-pull-request@v5
with:
base: ${{ steps.branches.outputs.BASE }}
branch: ${{ steps.branches.outputs.PR_BRANCH }}
delete-branch: true
commit-message: ":lock_with_ink_pen: Update certificate bundle"
title: ":lock_with_ink_pen: Update certificate bundle"
body: |
Updated certificate bundle, last verified on ${{ steps.get-date.outputs.DATE }}.
Source: https://curl.se/docs/caextract.html
This PR is auto-generated by [create-pull-request](https://github.com/peter-evans/create-pull-request) using the `.github/workflows/update-cacert.yml` workflow.
labels: |
Type: enhancement
reviewers: |
jrfnl
schlessera