GH Actions: add new workflow to auto-update certificate bundle #669
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jrfnl
force-pushed
the
feature/ghactions-new-auto-update-certificate-workflow
branch
2 times, most recently
from
d38ce03
to
dc64a60
Compare
|
Did some debugging and smoothed out the kinks. PRs created due to the workflow being triggered via cronjob or due to a push to |
jrfnl
force-pushed
the
feature/ghactions-new-auto-update-certificate-workflow
branch
from
dc64a60
to
8400bb6
Compare
Add the checksum file for the certificate bundle to the package to allow both users of the package as well as maintainers of the package, to verify the validity of the included certificate bundle. This file should only ever be updated at the same time as the certificate bundle is being updated.
This adds a new workflow which will automatically check the cURL website for an update to the certificate bundle once a day and if an updated bundle is found, it will automatically create a pull request against the `develop` branch to update the bundle in the Requests package. The workflow will also update the certificate checksum file and verify the checksum of the downloaded certificate bundle. Notes: * A condition has been added to prevent the cron job from running on forks (to conserve resources). * The workflow uses the recommended commands for automated downloads as per the https://curl.se/docs/caextract.html page. These recommended commands do a conditional download only when a file is changed and use an `etag*.txt` file to check whether the upstream file has changed. These `etag*.txt` files don't really need to be stored in the actual repo, so they have been added to the `.gitignore` file. In the workflow, these `etag*.txt` files are stored to and restored from a workflow cache to allow for the conditional download. * While the workflow runs on a cron job and manual updating of the certificate file/checksum file should therefore never be needed, as an extra security measure, the workflow will also run whenever a PR is opened to update the certificate files or when a change to the certificate files is pushed to the `stable` or `develop` branch. Note: as PRs which are opened from within a workflow do not trigger new workflows to be run (= default behaviour for GitHub Actions), the PR potentially created by this workflow will not trigger a recursive run of this workflow. * If a PR triggers this workflow and a certificate update would be needed, a (new) PR against the original PR will be opened with the certificate update. * If the workflow is triggered via the cronjob or for a push against `stable`/`develop`, any PR which may be opened will be opened against `develop`. Fixes 635
jrfnl
force-pushed
the
feature/ghactions-new-auto-update-certificate-workflow
branch
from
8400bb6
to
1a0d0cd
Compare
schlessera
approved these changes
Feb 7, 2022
schlessera
deleted the
feature/ghactions-new-auto-update-certificate-workflow
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Certificate: add checksum file
Add the checksum file for the certificate bundle to the package to allow both users of the package as well as maintainers of the package, to verify the validity of the included certificate bundle.
This file should only ever be updated at the same time as the certificate bundle is being updated.
GH Actions: new workflow to automatically update certificate bundle
This adds a new workflow which will automatically check the cURL website for an update to the certificate bundle once a day and if an updated bundle is found, it will automatically create a pull request against the
developbranch to update the bundle in the Requests package.The workflow will also update the certificate checksum file and verify the checksum of the downloaded certificate bundle.
Notes:
These recommended commands do a conditional download only when a file is changed and use an
etag*.txtfile to check whether the upstream file has changed.These
etag*.txtfiles don't really need to be stored in the actual repo, so they have been added to the.gitignorefile.In the workflow, these
etag*.txtfiles are stored to and restored from a workflow cache to allow for the conditional download.stableordevelopbranch.Note: as PRs which are opened from within a workflow do not trigger new workflows to be run (= default behaviour for GitHub Actions), the PR potentially created by this workflow will not trigger a recursive run of this workflow.
stable/develop, any PR which may be opened will be opened againstdevelop.Fixes #635