Merge pull request #235 from asgrim/create-issue-when-trusted-root-outdated

asgrim · web-flow · commit 5b24d98eca13 · 2025-05-06T21:56:40.000+01:00
Create a GH issue when trusted root certs are outdated
diff --git a/.github/workflows/check-outdated-trusted-root.yml b/.github/workflows/check-outdated-trusted-root.yml
@@ -0,0 +1,24 @@
+name: "Check for outdated trusted root certificates"
+
+on:
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Pull new trusted root
+        run: gh attestation trusted-root > resources/new-trusted-root.jsonl
+      - name: Create an issue if different
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          diff resources/trusted-root.jsonl resources/new-trusted-root.jsonl \
+            && echo "Trusted root cert has not changed, no action required." \
+            || ( \
+              (gh issue list | grep -i "Trusted root needs updating") \
+              && echo "Issue to update trusted root already exists, no action required." \
+              || gh issue create --title "Trusted root needs updating" --body "The trusted root certificate file needs updating. Use the \`gh attestation trusted-root > resources/trusted-root.jsonl\` command to update it." --assignee "asgrim" \
+            )
