Unverified Commit 0db96b30 authored by per1234's avatar per1234 Committed by GitHub

[skip changelog] Sync certificate check CI workflow with template (#1379)

We have assembled a collection of reusable GitHub Actions workflows:
https://github.com/arduino/tooling-project-assets
These workflows will be used in the repositories of all Arduino tooling projects.

Some minor improvements and standardizations have been made in the upstream "template" workflow, and those are introduced to this repository via this pull request.
Notable:

- Trigger workflow run on modification to facilitate testing.
- `repository_dispatch` event trigger to allow for automated triggering across many repositories via the GitHub API following a relevant external change.
- Change Slack webhook repository secret name.
- Use major version ref of `rtCamp/action-slack-notify` so that the latest release of the action is used up to the next major bump.
parent 47135863
name: Check for issues with signing certificates # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/check-certificates.md
name: Check Certificates
# See: https://docs.github.com/en/actions/reference/events-that-trigger-workflows
on: on:
push:
paths:
- ".github/workflows/check-certificates.ya?ml"
pull_request:
paths:
- ".github/workflows/check-certificates.ya?ml"
schedule: schedule:
# run every 10 hours # Run every 10 hours.
- cron: "0 */10 * * *" - cron: "0 */10 * * *"
# workflow_dispatch event allows the workflow to be triggered manually.
# This could be used to run an immediate check after updating certificate secrets.
# See: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch
workflow_dispatch: workflow_dispatch:
repository_dispatch:
env: env:
# Begin notifications when there are less than this many days remaining before expiration # Begin notifications when there are less than this many days remaining before expiration.
EXPIRATION_WARNING_PERIOD: 30 EXPIRATION_WARNING_PERIOD: 30
jobs: jobs:
check-certificates: check-certificates:
# This workflow would fail in forks that don't have the certificate secrets defined name: ${{ matrix.certificate.identifier }}
if: github.repository == 'arduino/arduino-cli' # Only run when the workflow will have access to the certificate secrets.
if: >
(github.event_name != 'pull_request' && github.repository == 'arduino/arduino-cli') ||
(github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'arduino/arduino-cli')
runs-on: ubuntu-latest runs-on: ubuntu-latest
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
certificate: certificate:
- identifier: macOS signing certificate # Text used to identify the certificate in notifications # Additional certificate definitions can be added to this list.
certificate-secret: INSTALLER_CERT_MAC_P12 # The name of the secret that contains the certificate - identifier: macOS signing certificate # Text used to identify certificate in notifications.
password-secret: INSTALLER_CERT_MAC_PASSWORD # The name of the secret that contains the certificate password certificate-secret: INSTALLER_CERT_MAC_P12 # Name of the secret that contains the certificate.
password-secret: INSTALLER_CERT_MAC_PASSWORD # Name of the secret that contains the certificate password.
steps: steps:
- name: Set certificate path environment variable - name: Set certificate path environment variable
run: | run: |
# See: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable # See: https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
echo "CERTIFICATE_PATH=${{ runner.temp }}/certificate.p12" >> "$GITHUB_ENV" echo "CERTIFICATE_PATH=${{ runner.temp }}/certificate.p12" >> "$GITHUB_ENV"
- name: Decode certificate - name: Decode certificate
...@@ -53,18 +62,17 @@ jobs: ...@@ -53,18 +62,17 @@ jobs:
exit 1 exit 1
) )
# See: https://github.com/rtCamp/action-slack-notify
- name: Slack notification of certificate verification failure - name: Slack notification of certificate verification failure
if: failure() if: failure()
uses: rtCamp/action-slack-notify@v2.2.0
env: env:
SLACK_WEBHOOK: ${{ secrets.TEAM_TOOLING_CHANNEL_SLACK_WEBHOOK }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
SLACK_MESSAGE: | SLACK_MESSAGE: |
:warning::warning::warning::warning: :warning::warning::warning::warning:
WARNING: ${{ github.repository }} ${{ matrix.certificate.identifier }} verification failed!!! WARNING: ${{ github.repository }} ${{ matrix.certificate.identifier }} verification failed!!!
:warning::warning::warning::warning: :warning::warning::warning::warning:
SLACK_COLOR: danger SLACK_COLOR: danger
MSG_MINIMAL: true MSG_MINIMAL: true
uses: rtCamp/action-slack-notify@v2
- name: Get days remaining before certificate expiration date - name: Get days remaining before certificate expiration date
env: env:
...@@ -93,7 +101,7 @@ jobs: ...@@ -93,7 +101,7 @@ jobs:
DAYS_BEFORE_EXPIRATION="$((($(date --utc --date="$EXPIRATION_DATE" +%s) - $(date --utc +%s)) / 60 / 60 / 24))" DAYS_BEFORE_EXPIRATION="$((($(date --utc --date="$EXPIRATION_DATE" +%s) - $(date --utc +%s)) / 60 / 60 / 24))"
# Display the expiration information in the log # Display the expiration information in the log.
echo "Certificate expiration date: $EXPIRATION_DATE" echo "Certificate expiration date: $EXPIRATION_DATE"
echo "Days remaining before expiration: $DAYS_BEFORE_EXPIRATION" echo "Days remaining before expiration: $DAYS_BEFORE_EXPIRATION"
...@@ -108,14 +116,14 @@ jobs: ...@@ -108,14 +116,14 @@ jobs:
fi fi
- name: Slack notification of pending certificate expiration - name: Slack notification of pending certificate expiration
# Don't send spurious expiration notification if verification fails # Don't send spurious expiration notification if verification fails.
if: failure() && steps.check-expiration.outcome == 'failure' if: failure() && steps.check-expiration.outcome == 'failure'
uses: rtCamp/action-slack-notify@v2.2.0
env: env:
SLACK_WEBHOOK: ${{ secrets.TEAM_TOOLING_CHANNEL_SLACK_WEBHOOK }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
SLACK_MESSAGE: | SLACK_MESSAGE: |
:warning::warning::warning::warning: :warning::warning::warning::warning:
WARNING: ${{ github.repository }} ${{ matrix.certificate.identifier }} will expire in ${{ steps.get-days-before-expiration.outputs.days }} days!!! WARNING: ${{ github.repository }} ${{ matrix.certificate.identifier }} will expire in ${{ steps.get-days-before-expiration.outputs.days }} days!!!
:warning::warning::warning::warning: :warning::warning::warning::warning:
SLACK_COLOR: danger SLACK_COLOR: danger
MSG_MINIMAL: true MSG_MINIMAL: true
uses: rtCamp/action-slack-notify@v2
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment