Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tools: add root certificate update script #47425

Merged
merged 1 commit into from
Apr 7, 2023
Merged

Conversation

richardlau
Copy link
Member

Automates the steps from doc/contributing/maintaining-root-certs.md.
Extend "Tools and deps update" workflow to use the new script to update
the root certificates.


I attempted to test the workflow changes over in https://github.com/nodejs/node-auto-test but it looks like the tokens/permissions are not set up for that repository: https://github.com/nodejs/node-auto-test/actions/runs/4621889241

Running the new update script locally updates to NSS 3.89:

$ nvm run 18 tools/dep_updaters/update-root-certs.mjs -v
Running node v18.14.0 (npm v9.3.1)
Fetching NSS release schedule
Found NSS version:
{
  version: '3.89',
  date: 2023-03-09T00:00:00.000Z,
  firefoxVersion: '112',
  firefoxDate: 2023-04-11T00:00:00.000Z
}
Fetching https://hg.mozilla.org/projects/nss/raw-file/NSS_3_89_RTM/lib/ckfw/builtins/certdata.txt
Writing /home/rlau/sandbox/github/node/tools/certdata.txt
Running tools/mk-ca-bundle.pl
Parsing: GlobalSign Root CA
Parsing: Entrust.net Premium 2048 Secure Server CA
Parsing: Baltimore CyberTrust Root
Parsing: Entrust Root Certification Authority
Parsing: Comodo AAA Services root
Parsing: QuoVadis Root CA 2
Parsing: QuoVadis Root CA 3
Parsing: Security Communication Root CA
Parsing: XRamp Global CA Root
Parsing: Go Daddy Class 2 CA
Parsing: Starfield Class 2 CA
Parsing: DigiCert Assured ID Root CA
Parsing: DigiCert Global Root CA
Parsing: DigiCert High Assurance EV Root CA
Parsing: SwissSign Gold CA - G2
Parsing: SwissSign Silver CA - G2
Parsing: SecureTrust CA
Parsing: Secure Global CA
Parsing: COMODO Certification Authority
Parsing: COMODO ECC Certification Authority
Parsing: Certigna
Parsing: ePKI Root Certification Authority
Parsing: certSIGN ROOT CA
Parsing: NetLock Arany (Class Gold) Főtanúsítvány
Parsing: Hongkong Post Root CA 1
Parsing: SecureSign RootCA11
Parsing: Microsec e-Szigno Root CA 2009
Parsing: GlobalSign Root CA - R3
Parsing: Autoridad de Certificacion Firmaprofesional CIF A62634068
Parsing: Izenpe.com
Parsing: Go Daddy Root Certificate Authority - G2
Parsing: Starfield Root Certificate Authority - G2
Parsing: Starfield Services Root Certificate Authority - G2
Parsing: AffirmTrust Commercial
Parsing: AffirmTrust Networking
Parsing: AffirmTrust Premium
Parsing: AffirmTrust Premium ECC
Parsing: Certum Trusted Network CA
Parsing: TWCA Root Certification Authority
Parsing: Security Communication RootCA2
Parsing: Actalis Authentication Root CA
Parsing: Buypass Class 2 Root CA
Parsing: Buypass Class 3 Root CA
Parsing: T-TeleSec GlobalRoot Class 3
Parsing: D-TRUST Root Class 3 CA 2 2009
Parsing: D-TRUST Root Class 3 CA 2 EV 2009
Parsing: CA Disig Root R2
Parsing: ACCVRAIZ1
Parsing: TWCA Global Root CA
Parsing: TeliaSonera Root CA v1
Parsing: E-Tugra Certification Authority
Parsing: T-TeleSec GlobalRoot Class 2
Parsing: Atos TrustedRoot 2011
Parsing: QuoVadis Root CA 1 G3
Parsing: QuoVadis Root CA 2 G3
Parsing: QuoVadis Root CA 3 G3
Parsing: DigiCert Assured ID Root G2
Parsing: DigiCert Assured ID Root G3
Parsing: DigiCert Global Root G2
Parsing: DigiCert Global Root G3
Parsing: DigiCert Trusted Root G4
Parsing: COMODO RSA Certification Authority
Parsing: USERTrust RSA Certification Authority
Parsing: USERTrust ECC Certification Authority
Parsing: GlobalSign ECC Root CA - R5
Parsing: IdenTrust Commercial Root CA 1
Parsing: IdenTrust Public Sector Root CA 1
Parsing: Entrust Root Certification Authority - G2
Parsing: Entrust Root Certification Authority - EC1
Parsing: CFCA EV ROOT
Parsing: OISTE WISeKey Global Root GB CA
Parsing: SZAFIR ROOT CA2
Parsing: Certum Trusted Network CA 2
Parsing: Hellenic Academic and Research Institutions RootCA 2015
Parsing: Hellenic Academic and Research Institutions ECC RootCA 2015
Parsing: ISRG Root X1
Parsing: AC RAIZ FNMT-RCM
Parsing: Amazon Root CA 1
Parsing: Amazon Root CA 2
Parsing: Amazon Root CA 3
Parsing: Amazon Root CA 4
Parsing: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
Parsing: GDCA TrustAUTH R5 ROOT
Parsing: SSL.com Root Certification Authority RSA
Parsing: SSL.com Root Certification Authority ECC
Parsing: SSL.com EV Root Certification Authority RSA R2
Parsing: SSL.com EV Root Certification Authority ECC
Parsing: GlobalSign Root CA - R6
Parsing: OISTE WISeKey Global Root GC CA
Parsing: UCA Global G2 Root
Parsing: UCA Extended Validation Root
Parsing: Certigna Root CA
Parsing: emSign Root CA - G1
Parsing: emSign ECC Root CA - G3
Parsing: emSign Root CA - C1
Parsing: emSign ECC Root CA - C3
Parsing: Hongkong Post Root CA 3
Parsing: Entrust Root Certification Authority - G4
Parsing: Microsoft ECC Root Certificate Authority 2017
Parsing: Microsoft RSA Root Certificate Authority 2017
Parsing: e-Szigno Root CA 2017
Parsing: certSIGN Root CA G2
Parsing: Trustwave Global Certification Authority
Parsing: Trustwave Global ECC P256 Certification Authority
Parsing: Trustwave Global ECC P384 Certification Authority
Parsing: NAVER Global Root Certification Authority
Parsing: AC RAIZ FNMT-RCM SERVIDORES SEGUROS
Parsing: GlobalSign Root R46
Parsing: GlobalSign Root E46
Parsing: GLOBALTRUST 2020
Parsing: ANF Secure Server Root CA
Parsing: Certum EC-384 CA
Parsing: Certum Trusted Root CA
Parsing: TunTrust Root CA
Parsing: HARICA TLS RSA Root CA 2021
Parsing: HARICA TLS ECC Root CA 2021
Parsing: Autoridad de Certificacion Firmaprofesional CIF A62634068
Parsing: vTrus ECC Root CA
Parsing: vTrus Root CA
Parsing: ISRG Root X2
Parsing: HiPKI Root CA - G1
Parsing: GlobalSign ECC Root CA - R4
Parsing: GTS Root R1
Parsing: GTS Root R2
Parsing: GTS Root R3
Parsing: GTS Root R4
Parsing: Telia Root CA v2
Parsing: D-TRUST BR Root CA 1 2020
Parsing: D-TRUST EV Root CA 1 2020
Parsing: DigiCert TLS ECC P384 Root G5
Parsing: DigiCert TLS RSA4096 Root G5
Parsing: Certainly Root R1
Parsing: Certainly Root E1
Parsing: E-Tugra Global Root CA RSA v3
Parsing: E-Tugra Global Root CA ECC v3
Parsing: Security Communication RootCA3
Parsing: Security Communication ECC RootCA1
Done (137 CA certs processed, 23 skipped).

diff --git a/src/node_root_certs.h b/src/node_root_certs.h
index 025df5ca33..010a4d1616 100644
--- a/src/node_root_certs.h
+++ b/src/node_root_certs.h
@@ -474,29 +474,6 @@
 "+8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IBZQ==\n"
 "-----END CERTIFICATE-----",

-/* Network Solutions Certificate Authority */
-"-----BEGIN CERTIFICATE-----\n"
-"MIID5jCCAs6gAwIBAgIQV8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBiMQswCQYD\n"
-"VQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydO\n"
-"ZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYxMjAxMDAwMDAw\n"
-"WhcNMjkxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1\n"
-"dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBB\n"
-"dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xG\n"
-"zuAnlt7e+foS0zwzc7MEL7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQ\n"
-"NJIg6nPPOCwGJgl6cvf6UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rl\n"
-"mGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lBUzS1sLnFBgrEsEX1\n"
-"QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc/Qzpf14Dl847ABSHJ3A4qY5usyd2mFHgBeMh\n"
-"qxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMBAAGjgZcwgZQwHQYDVR0OBBYEFCEwyfsA\n"
-"106Y2oeqKtCnLrFAMadMMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MFIGA1Ud\n"
-"HwRLMEkwR6BFoEOGQWh0dHA6Ly9jcmwubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25z\n"
-"Q2VydGlmaWNhdGVBdXRob3JpdHkuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQC7rkvnt1frf6ot\n"
-"t3NHhWrB5KUd5Oc86fRZZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q4LqILPxFzBiwmZVR\n"
-"DuwduIj/h1AcgsLj4DKAv6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/GGUsyfJj4akH\n"
-"/nxxH2szJGoeBfcFaMBqEssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3HtvwKeI8lN3\n"
-"s2Berq4o2jUsbzRF0ybh3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHNpGxlaKFJdlxDydi8\n"
-"NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey\n"
-"-----END CERTIFICATE-----",
-
 /* COMODO ECC Certification Authority */
 "-----BEGIN CERTIFICATE-----\n"
 "MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTELMAkGA1UE\n"
@@ -980,36 +957,6 @@
 "SjnRBUkLp7Y3gaVdjKozXoEofKd9J+sAro03\n"
 "-----END CERTIFICATE-----",

-/* EC-ACC */
-"-----BEGIN CERTIFICATE-----\n"
-"MIIFVjCCBD6gAwIBAgIQ7is969Qh3hSoYqwE893EATANBgkqhkiG9w0BAQUFADCB8zELMAkG\n"
-"A1UEBhMCRVMxOzA5BgNVBAoTMkFnZW5jaWEgQ2F0YWxhbmEgZGUgQ2VydGlmaWNhY2lvIChO\n"
-"SUYgUS0wODAxMTc2LUkpMSgwJgYDVQQLEx9TZXJ2ZWlzIFB1YmxpY3MgZGUgQ2VydGlmaWNh\n"
-"Y2lvMTUwMwYDVQQLEyxWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAo\n"
-"YykwMzE1MDMGA1UECxMsSmVyYXJxdWlhIEVudGl0YXRzIGRlIENlcnRpZmljYWNpbyBDYXRh\n"
-"bGFuZXMxDzANBgNVBAMTBkVDLUFDQzAeFw0wMzAxMDcyMzAwMDBaFw0zMTAxMDcyMjU5NTla\n"
-"MIHzMQswCQYDVQQGEwJFUzE7MDkGA1UEChMyQWdlbmNpYSBDYXRhbGFuYSBkZSBDZXJ0aWZp\n"
-"Y2FjaW8gKE5JRiBRLTA4MDExNzYtSSkxKDAmBgNVBAsTH1NlcnZlaXMgUHVibGljcyBkZSBD\n"
-"ZXJ0aWZpY2FjaW8xNTAzBgNVBAsTLFZlZ2V1IGh0dHBzOi8vd3d3LmNhdGNlcnQubmV0L3Zl\n"
-"cmFycmVsIChjKTAzMTUwMwYDVQQLEyxKZXJhcnF1aWEgRW50aXRhdHMgZGUgQ2VydGlmaWNh\n"
-"Y2lvIENhdGFsYW5lczEPMA0GA1UEAxMGRUMtQUNDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\n"
-"MIIBCgKCAQEAsyLHT+KXQpWIR4NA9h0X84NzJB5R85iKw5K4/0CQBXCHYMkAqbWUZRkiFRfC\n"
-"Q2xmRJoNBD45b6VLeqpjt4pEndljkYRm4CgPukLjbo73FCeTae6RDqNfDrHrZqJyTxIThmV6\n"
-"PttPB/SnCWDaOkKZx7J/sxaVHMf5NLWUhdWZXqBIoH7nF2W4onW4HvPlQn2v7fOKSGRdghST\n"
-"2MDk/7NQcvJ29rNdQlB50JQ+awwAvthrDk4q7D7SzIKiGGUzE3eeml0aE9jD2z3Il3rucO2n\n"
-"5nzbcc8tlGLfbdb1OL4/pYUKGbio2Al1QnDE6u/LDsg0qBIimAy4E5S2S+zw0JDnJwIDAQAB\n"
-"o4HjMIHgMB0GA1UdEQQWMBSBEmVjX2FjY0BjYXRjZXJ0Lm5ldDAPBgNVHRMBAf8EBTADAQH/\n"
-"MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUoMOLRKo3pUW/l4Ba0fF4opvpXY0wfwYDVR0g\n"
-"BHgwdjB0BgsrBgEEAfV4AQMBCjBlMCwGCCsGAQUFBwIBFiBodHRwczovL3d3dy5jYXRjZXJ0\n"
-"Lm5ldC92ZXJhcnJlbDA1BggrBgEFBQcCAjApGidWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0\n"
-"Lm5ldC92ZXJhcnJlbCAwDQYJKoZIhvcNAQEFBQADggEBAKBIW4IB9k1IuDlVNZyAelOZ1Vr/\n"
-"sXE7zDkJlF7W2u++AVtd0x7Y/X1PzaBB4DSTv8vihpw3kpBWHNzrKQXlxJ7HNd+KDM3FIUPp\n"
-"qojlNcAZQmNaAl6kSBg6hW/cnbw/nZzBh7h6YQjpdwt/cKt63dmXLGQehb+8dJahw3oS7Awa\n"
-"boMMPOhyRp/7SNVel+axofjk70YllJyJ22k4vuxcDlbHZVHlUIiIv0LVKz3l+bqeLrPK9HOS\n"
-"Agu+TGbrIP65y7WZf+a2E/rKS03Z7lNGBjvGTq2TWoF+bCpLagVFjPIhpDGQh2xlnJ2lYJU6\n"
-"Un/10asIbvPuW/mIPX64b24D5EI=\n"
-"-----END CERTIFICATE-----",
-
 /* Actalis Authentication Root CA */
 "-----BEGIN CERTIFICATE-----\n"
 "MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCSVQx\n"
@@ -1670,36 +1617,6 @@
 "+SvzZpA3\n"
 "-----END CERTIFICATE-----",

-/* Staat der Nederlanden EV Root CA */
-"-----BEGIN CERTIFICATE-----\n"
-"MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJOTDEeMBwG\n"
-"A1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFhdCBkZXIgTmVkZXJs\n"
-"YW5kZW4gRVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0yMjEyMDgxMTEwMjhaMFgxCzAJ\n"
-"BgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIgTmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0\n"
-"YWF0IGRlciBOZWRlcmxhbmRlbiBFViBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\n"
-"MIICCgKCAgEA48d+ifkkSzrSM4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79\n"
-"VWZxXSzFYGgEt9nCUiY4iKTWO0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs\n"
-"3NZmdO3dZ//BYY1jTw+bbRcwJu+r0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46p\n"
-"rfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13lpJhQDBXd\n"
-"4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gVXJrm0w912fxBmJc+qiXbj5IusHsMX/FjqTf5\n"
-"m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr08C+eKxCKFhmpUZtcALXEPlLVPxdhkqH\n"
-"z3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS/ZbV0b5GnUngC6agIk440ME8MLxwjyx1\n"
-"zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0XcgOPvZuM5l5Tnrmd74K74bzickFbIZTTRTeU0d8J\n"
-"OV3nI6qaHcptqAqGhYqCvkIH1vI4gnPah1vlPNOePqc7nvQDs/nxfRN0Av+7oeX6AHkcpmZB\n"
-"iFxgV6YuCcS6/ZrPpx9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNCMEAwDwYDVR0TAQH/\n"
-"BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwaivsnuL8wbqg7\n"
-"MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsIeK9p0gtJ\n"
-"3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u2dfOWBfoqSmuc0iH\n"
-"55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHSv4ilf0X8rLiltTMMgsT7B/Zq\n"
-"5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTCwPTxGfARKbalGAKb12NMcIxHowNDXLld\n"
-"RqANb/9Zjr7dn3LDWyvfjFvO5QxGbJKyCqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW\n"
-"2HNnh/tNf1zuacpzEPuKqf2evTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy\n"
-"+TSrK0m1zSBi5Dp6Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCj\n"
-"uTaPPoIaGl6I6lD4WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeL\n"
-"eG9QgkRQP2YGiqtDhFZKDyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8FVdMpEbB\n"
-"4IMeDExNH08GGeL5qPQ6gqGyeUN51q1veieQA6TqJIc/2b3Z6fJfUEkc7uzXLg==\n"
-"-----END CERTIFICATE-----",
-
 /* IdenTrust Commercial Root CA 1 */
 "-----BEGIN CERTIFICATE-----\n"
 "MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBKMQswCQYD\n"

NEW_VERSION=3.89
COMMIT_MSG<<235daeed-339c-4351-b68f-69a3e44ea577
crypto: update root certificates to NSS 3.89

This is the certdata.txt[0] from NSS 3.89, released on 2023-03-09.

This is the version of NSS that will ship in Firefox 112 on
2023-04-11.

Certificates removed:
- Network Solutions Certificate Authority
- EC-ACC
- Staat der Nederlanden EV Root CA

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_89_RTM/lib/ckfw/builtins/certdata.txt
235daeed-339c-4351-b68f-69a3e44ea577

$

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/actions
  • @nodejs/tsc

@nodejs-github-bot nodejs-github-bot added meta Issues and PRs related to the general management of the project. tools Issues and PRs related to the tools directory. labels Apr 5, 2023
@richardlau
Copy link
Member Author

One difference from the previous manual steps in doc/contributing/maintaining-root-certs.md is that the automation collapses the two commits into a single commit to fit in with the existing tools workflow.

Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM once issues flagged by linter are resolved.

Automates the steps from `doc/contributing/maintaining-root-certs.md`.
Extend "Tools and deps update" workflow to use the new script to update
the root certificates.
@richardlau
Copy link
Member Author

LGTM once issues flagged by linter are resolved.

Fixed now.

@richardlau
Copy link
Member Author

Manually dispatched the workflow using this branch: https://github.com/nodejs/node/actions/runs/4622343859

Copy link
Member

@marco-ippolito marco-ippolito left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@richardlau
Copy link
Member Author

Manually dispatched the workflow using this branch: https://github.com/nodejs/node/actions/runs/4622343859

This opened #47429. The second commit in that looks correct. The first commit looks odd, but is probably a side-effect of running the workflow from this branch which hasn't been merged.

@richardlau
Copy link
Member Author

Manually dispatched the workflow using this branch: https://github.com/nodejs/node/actions/runs/4622343859

This opened #47429. The second commit in that looks correct. The first commit looks odd, but is probably a side-effect of running the workflow from this branch which hasn't been merged.

Ah, it's probably because this branch doesn't have #47339. Anyway that shouldn't be an issue when this is merged and the workflow run from main.

@richardlau richardlau added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Apr 5, 2023
@@ -167,13 +167,22 @@ jobs:
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: root-certificates
subsystem: crypto
label: crypto, notable-change
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we usually do these as semver-minor? I'm not sure.

Suggested change
label: crypto, notable-change
label: crypto, notable-change, semver-minor

I'm also not sure if it's notable.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#45490, #40280 and #35546 were not labelled semver-minor PRs that contain new features and should be released in the next minor version. but were labelled notable-change PRs with changes that should be highlighted in changelogs. . I kind of feel that listing the removed and/or added certificates should be in the release notes (hence notable-change PRs with changes that should be highlighted in changelogs. ).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we usually do these as semver-minor? I'm not sure.

@nodejs/releasers @nodejs/crypto Thoughts? We haven't been labelling root certificates updates as semver-minor, but maybe we should be?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would say no, but I understand if people think differently. To me this is more a bug fix (a certificate that would error before is then accepted). It doesn't add anything to the public API.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To clarify my stance on notable-change PRs with changes that should be highlighted in changelogs. -- I'm thinking that when certificates are removed (often for security reasons) that at least noting that will help anyone running into issues because of it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm in the semver-minor camp but with only one toe and it's not even my big toe. Call it +.1

@richardlau richardlau removed the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Apr 6, 2023
Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, and good idea.

@@ -167,13 +167,22 @@ jobs:
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: root-certificates
subsystem: crypto
label: crypto, notable-change
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm in the semver-minor camp but with only one toe and it's not even my big toe. Call it +.1

@richardlau richardlau added the commit-queue Add this label to land a pull request using GitHub Actions. label Apr 6, 2023
@richardlau
Copy link
Member Author

richardlau commented Apr 6, 2023

I may not be around much over the Easter weekend (Friday and Monday are public holidays here). I've added the commit-queue Add this label to land a pull request using GitHub Actions. label so this can land after the wait period (and no objections). Not labelling the updates semver-minor PRs that contain new features and should be released in the next minor version. (the current state of this PR) is what we've been doing, which I am persuadable to change. If we do decide to make these updates semver-minor PRs that contain new features and should be released in the next minor version. by default, that's easily done in a follow up PR.

Copy link
Member

@lpinca lpinca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RSLGTM

@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Apr 7, 2023
@nodejs-github-bot nodejs-github-bot merged commit a75871a into main Apr 7, 2023
@nodejs-github-bot nodejs-github-bot deleted the update-root-certs branch April 7, 2023 19:10
@nodejs-github-bot
Copy link
Collaborator

Landed in a75871a

RafaelGSS pushed a commit that referenced this pull request Apr 13, 2023
Automates the steps from `doc/contributing/maintaining-root-certs.md`.
Extend "Tools and deps update" workflow to use the new script to update
the root certificates.

PR-URL: #47425
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
danielleadams pushed a commit that referenced this pull request Jul 6, 2023
Automates the steps from `doc/contributing/maintaining-root-certs.md`.
Extend "Tools and deps update" workflow to use the new script to update
the root certificates.

PR-URL: #47425
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
MoLow pushed a commit to MoLow/node that referenced this pull request Jul 6, 2023
Automates the steps from `doc/contributing/maintaining-root-certs.md`.
Extend "Tools and deps update" workflow to use the new script to update
the root certificates.

PR-URL: nodejs#47425
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
meta Issues and PRs related to the general management of the project. tools Issues and PRs related to the tools directory.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants