diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml new file mode 100644 index 0000000..c949e51 --- /dev/null +++ b/.github/workflows/deploy.yml @@ -0,0 +1,35 @@ +--- +name: Deploy and update security.txt + +on: + workflow_dispatch: + push: + branches: + - 'main' + schedule: + - cron: "0 2 * * 1" + +jobs: + deploy-to-co-cyber-security-external: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + steps: + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Set up Python 3.8 + uses: actions/setup-python@v5 + with: + python-version: "3.8" + + - name: Set up AWS creds + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.ROLE_TO_ASSUME_ARN }} + aws-region: eu-west-2 + + - name: Run Makefile + run: bash deploy.sh + shell: bash diff --git a/Makefile b/Makefile deleted file mode 100644 index 69f42d0..0000000 --- a/Makefile +++ /dev/null @@ -1,30 +0,0 @@ -.SHELL := /bin/bash -.DEFAULT_GOAL := build -.PHONY = clean - -deploy: build - echo "Deploy to non-live" - aws s3 cp --profile cst-test --recursive dist s3://dev-cs-security.staging.gds-cyber-security.digital-website - echo "Deploy to live" - aws s3 cp --profile co-cyber-security-external --recursive dist s3://prod-vdp.cabinetoffice.gov.uk-website - -build: clean - mkdir -p dist/.well-known/ - cp security.txt dist/ - cp thanks.txt dist/ - - echo "" >> dist/security.txt - echo "Last-Updated: " >> dist/security.txt - date +"%Y-%m-%dT%H:%M:%SZ" >> dist/security.txt - - echo "Expires: " >> dist/security.txt - date -v+3m +"%Y-%m-%dT%H:%M:%SZ" >> dist/security.txt - - echo "" >> dist/security.txt - echo "# Generated at: https://github.com/alphagov/security.txt" >> dist/security.txt - - cp dist/security.txt dist/.well-known/ - cp paas_app/* dist/ - -clean: - rm -rf dist diff --git a/deploy.sh b/deploy.sh new file mode 100755 index 0000000..8ea4d0f --- /dev/null +++ b/deploy.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +# Manage content on the S3 for prod account. + +if [[ "$OSTYPE" == "linux-gnu"* ]]; then + DATE_NOW=$(date --rfc-3339='seconds') + DATE_EXP=$(date -d "+3 months" --rfc-3339='seconds') + + sed -i "s/DATE_NOW/${DATE_NOW}/g" ./security.txt + sed -i "s/DATE_EXP/${DATE_EXP}/g" ./security.txt + + mkdir -p ./paas_app/.well-known/ + cp ./security.txt ./paas_app/security.txt + cp ./thanks.txt ./paas_app/thanks.txt + cp ./paas_app/security.txt ./paas_app/.well-known/security.txt + + aws s3 cp --recursive paas_app s3://prod-vdp.cabinetoffice.gov.uk-website +else + echo "Due to different output format in date, only Linux is supported" + exit 1 +fi \ No newline at end of file diff --git a/readme.md b/readme.md index e7155b5..2b0c39f 100644 --- a/readme.md +++ b/readme.md @@ -13,5 +13,7 @@ https://vdp.cabinetoffice.gov.uk/.well-known/security.txt This is so that we can update the `security.txt` from one place. ## Deployment -A [GitHub Action](.github/workflows/deploy.yml) deploys changes to [security.txt](security.txt) in `main` to GOV.UK PaaS. -The deployment also occurs every week to update the _expires_ field. + +- To make changes in thanks.txt create a new pull request. Once approved GitHub automatically will deploy new file to the AWS where content is being hosted. +- File security.txt is a template which is being updated and uploaded on every merge to main with new expiration date +- The deployment also occurs every week to update the _expires_ field. \ No newline at end of file diff --git a/security.txt b/security.txt index 4111e88..ceb4f8a 100644 --- a/security.txt +++ b/security.txt @@ -6,3 +6,9 @@ Contact: https://www.gov.uk/contact/govuk Acknowledgments: https://vdp.cabinetoffice.gov.uk/thanks.txt Hiring: https://www.civilservicejobs.service.gov.uk/ + +Last-Updated: DATE_NOW + +Expires: DATE_EXP + +Generated at: https://github.com/alphagov/security.txt \ No newline at end of file