Refreshcerts #32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Refreshcerts | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: '39 7 15 * *' # At 0739 on the 15th day of every month | |
permissions: # added using https://github.com/step-security/secure-workflows | |
contents: read | |
jobs: | |
refresh-ACME-cert: | |
runs-on: ubuntu-latest | |
name: SSL Renewal for vip.ve.atsign.zone | |
steps: | |
- name: Set up Python | |
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 | |
with: | |
python-version: 3.9 #install the python needed | |
- name: setup certinfo | |
uses: atsign-company/certinfo-action@e33db584f27bbbc0260af9916aeaefbec0db8ef4 # v1.0.1 | |
# checkout at_server code | |
- name: checkout repo content | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
# Pull ACME script | |
- name: Pull ACME script | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
repository: atsign-company/secondaries-scripts | |
path: secondaries-scripts | |
token: ${{ secrets.MY_GITHUB_TOKEN }} | |
ref: trunk | |
# Create required directory, and copy keys files from secrets | |
- name: Create required directory and pull secrets | |
run: |- | |
sudo mkdir -p /gluster/@/api/keys | |
sudo chmod -R 777 /gluster/@/api/keys | |
echo "${{secrets.LETSENCRYPT_PRIVKEY}}" > /gluster/@/api/keys/letsencrypt.key | |
echo "${{secrets.ZEROSSL_PRIVKEY}}" > /gluster/@/api/keys/zerossl.key | |
echo "${{secrets.GOOGLE_PRIVKEY}}" > /gluster/@/api/keys/google.key | |
# Install Python Libraries | |
- name: Install Python Libraries | |
run: |- | |
python3 -m pip install --require-hashes -r tools/requirements.txt | |
# Run Python ACME script | |
- name: Run ACME script | |
run: |- | |
chmod -R 777 secondaries-scripts | |
cd secondaries-scripts/sec_ops && ./create_cert_workflow.sh vip.ve.atsign.zone | |
cp cert.pem ../../tools/build_virtual_environment/ve_base/contents/atsign/root/certs/cert.pem | |
cp privkey.pem ../../tools/build_virtual_environment/ve_base/contents/atsign/root/certs/privkey.pem | |
cp fullchain.pem ../../tools/build_virtual_environment/ve_base/contents/atsign/root/certs/fullchain.pem | |
cp ../../tools/build_virtual_environment/ve_base/contents/atsign/root/certs/*.pem \ | |
../../tools/build_virtual_environment/ve_base/contents/atsign/secondary/base/certs/ | |
cd ../.. && rm -rf vip.ve.atsign.zone* secondaries-scripts | |
env: | |
DO_KEY: ${{ secrets.DO_KEY }} | |
gChat_url: ${{ secrets.GOOGLE_CHAT_WEBHOOK }} | |
# create PR with renewed certificate | |
- name: Create Pull Request | |
id: cpr | |
uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 | |
with: | |
token: ${{ secrets.MY_GITHUB_TOKEN }} | |
commit-message: 'chore: New certificates for at_server' | |
committer: library-action[bot] <41898282+github-actions[bot]@users.noreply.github.com> | |
author: library-action[bot] <41898282+github-actions[bot]@users.noreply.github.com> | |
signoff: false | |
add-paths: ./tools/build_virtual_environment | |
branch: bot-new-certs | |
delete-branch: true | |
title: 'chore: New certificates generated' | |
body: | | |
Fresh certificates generated. | |
labels: | | |
operations | |
assignees: cpswan | |
reviewers: gkc | |
draft: false |