name: Update certs on: workflow_dispatch: schedule: - cron: '0 6 * * *' # Nightly 6AM UTC # This allows a subsequently queued workflow run to interrupt previous runs concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}} cancel-in-progress: true defaults: run: # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference shell: bash permissions: contents: read jobs: update-certs: permissions: contents: write # for peter-evans/create-pull-request to create branch pull-requests: write # for peter-evans/create-pull-request to create a PR runs-on: ubuntu-latest steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: egress-policy: audit - name: Checkout code uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v.24.0 # We trust own version of mk-ca-bundle.pl and its output, but as an extra check # we compare with the cacert.pem served by https://curl.se/ca/cacert.pem (this # allows detecting updates in the mk-ca-bundle.pl or any issues with the output # of mk-ca-bundle.pl). - name: Update certs run: | cd orbit/pkg/packaging && ./mk-ca-bundle.pl -u certs.pem curl https://curl.se/ca/cacert.pem --output cacert.pem diff --ignore-matching-lines "Certificate data from Mozilla as of*" certs.pem cacert.pem rm cacert.pem - name: PR changes uses: peter-evans/create-pull-request@f22a7da129c901513876a2380e2dae9f8e145330 # v3.12.1 with: base: main branch: update-ca-certs delete-branch: true title: Update Orbit CA certs [automated] commit-message: | Update Orbit CA certs [automated] Generated automatically with curl mk-ca-bundle.pl script. body: Automated change from [GitHub action](https://github.com/fleetdm/fleet/actions/workflows/update-certs.yml).