mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 08:55:24 +00:00
e6c6b7e840
* Added explicit read permissions + tweaked permissions As a part of #4698 - this should fix the remaining warnings we get from the OSSF scorecard in relation to github workflows. They now all have explicit read permissions with more granular permissions granted in jobs. * Update tfsec.yml New workflow that I had not fixed in this PR.
38 lines
1.1 KiB
YAML
38 lines
1.1 KiB
YAML
name: Update certs
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: '0 6 * * *' # Nightly 6AM UTC
|
|
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
update-certs:
|
|
permissions:
|
|
contents: write # for peter-evans/create-pull-request to create branch
|
|
pull-requests: write # for peter-evans/create-pull-request to create a PR
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v.24.0
|
|
|
|
|
|
- name: Update certs
|
|
run: cd orbit/pkg/packaging && ./mk-ca-bundle.pl -u certs.pem
|
|
|
|
- name: PR changes
|
|
uses: peter-evans/create-pull-request@f22a7da129c901513876a2380e2dae9f8e145330 # v3.12.1
|
|
with:
|
|
base: main
|
|
branch: update-ca-certs
|
|
delete-branch: true
|
|
title: Update Orbit CA certs [automated]
|
|
commit-message: |
|
|
Update Orbit CA certs [automated]
|
|
|
|
Generated automatically with curl mk-ca-bundle.pl script.
|
|
body: Automated change from [GitHub action](https://github.com/fleetdm/fleet/actions/workflows/update-certs.yml).
|