mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 13:37:30 +00:00
18256bdf0e
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Upgraded security protections across build and deployment workflows
for enhanced runner environment hardening.
* Strengthened CI/CD infrastructure security measures throughout
automated processes.
* No direct user-facing changes.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
180 lines
6.9 KiB
YAML
180 lines
6.9 KiB
YAML
# Checks signatures that are about to expire on https://updates.fleetdm.com.
|
|
name: "TUF expiration check: updates.fleetdm.com"
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- ".github/workflows/check-updates-timestamps.yml"
|
|
workflow_dispatch: # Manual
|
|
schedule:
|
|
- cron: "0 10,22 * * *" # every day at 10 AM and 10 PM
|
|
|
|
# This allows a subsequently queued workflow run to interrupt previous runs
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
|
|
cancel-in-progress: true
|
|
|
|
defaults:
|
|
run:
|
|
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
|
|
shell: bash
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
check-signatures:
|
|
strategy:
|
|
matrix:
|
|
os: [ubuntu-latest]
|
|
runs-on: ${{ matrix.os }}
|
|
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Check remote timestamp.json file
|
|
id: check_timestamp
|
|
run: |
|
|
expires=$(curl -s https://updates.fleetdm.com/timestamp.json | jq -r '.signed.expires' | cut -c 1-10)
|
|
today=$(date "+%Y-%m-%d")
|
|
warning_at=$(date -d "$today + 4 day" "+%Y-%m-%d")
|
|
expires_sec=$(date -d "$expires" "+%s")
|
|
warning_at_sec=$(date -d "$warning_at" "+%s")
|
|
|
|
if [ "$expires_sec" -le "$warning_at_sec" ]; then
|
|
echo "timestamp_warn=true" >> ${GITHUB_OUTPUT}
|
|
else
|
|
echo "timestamp_warn=false" >> ${GITHUB_OUTPUT}
|
|
fi
|
|
|
|
- name: Check remote snapshot.json file
|
|
id: check_snapshot
|
|
run: |
|
|
expires=$(curl -s https://updates.fleetdm.com/snapshot.json | jq -r '.signed.expires' | cut -c 1-10)
|
|
today=$(date "+%Y-%m-%d")
|
|
warning_at=$(date -d "$today + 30 day" "+%Y-%m-%d")
|
|
expires_sec=$(date -d "$expires" "+%s")
|
|
warning_at_sec=$(date -d "$warning_at" "+%s")
|
|
|
|
if [ "$expires_sec" -le "$warning_at_sec" ]; then
|
|
echo "snapshot_warn=true" >> ${GITHUB_OUTPUT}
|
|
else
|
|
echo "snapshot_warn=false" >> ${GITHUB_OUTPUT}
|
|
fi
|
|
|
|
- name: Check remote targets.json file
|
|
id: check_targets
|
|
run: |
|
|
expires=$(curl -s https://updates.fleetdm.com/targets.json | jq -r '.signed.expires' | cut -c 1-10)
|
|
today=$(date "+%Y-%m-%d")
|
|
warning_at=$(date -d "$today + 30 day" "+%Y-%m-%d")
|
|
expires_sec=$(date -d "$expires" "+%s")
|
|
warning_at_sec=$(date -d "$warning_at" "+%s")
|
|
|
|
if [ "$expires_sec" -le "$warning_at_sec" ]; then
|
|
echo "targets_warn=true" >> ${GITHUB_OUTPUT}
|
|
else
|
|
echo "targets_warn=false" >> ${GITHUB_OUTPUT}
|
|
fi
|
|
|
|
- name: Check remote root.json file
|
|
id: check_root
|
|
run: |
|
|
expires=$(curl -s https://updates.fleetdm.com/root.json | jq -r '.signed.expires' | cut -c 1-10)
|
|
today=$(date "+%Y-%m-%d")
|
|
warning_at=$(date -d "$today + 30 day" "+%Y-%m-%d")
|
|
expires_sec=$(date -d "$expires" "+%s")
|
|
warning_at_sec=$(date -d "$warning_at" "+%s")
|
|
|
|
if [ "$expires_sec" -le "$warning_at_sec" ]; then
|
|
echo "root_warn=true" >> ${GITHUB_OUTPUT}
|
|
else
|
|
echo "root_warn=false" >> ${GITHUB_OUTPUT}
|
|
fi
|
|
|
|
- name: Slack timestamp notification
|
|
if: ${{ steps.check_timestamp.outputs.timestamp_warn == 'true' }}
|
|
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
|
|
with:
|
|
payload: |
|
|
{
|
|
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
|
|
"blocks": [
|
|
{
|
|
"type": "section",
|
|
"text": {
|
|
"type": "mrkdwn",
|
|
"text": "⚠️ https://updates.fleetdm.com/timestamp.json is about to expire or has already expired\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
env:
|
|
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
|
|
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
|
|
|
|
- name: Slack snapshot notification
|
|
if: ${{ steps.check_snapshot.outputs.snapshot_warn == 'true' }}
|
|
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
|
|
with:
|
|
payload: |
|
|
{
|
|
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
|
|
"blocks": [
|
|
{
|
|
"type": "section",
|
|
"text": {
|
|
"type": "mrkdwn",
|
|
"text": "⚠️ https://updates.fleetdm.com/snapshot.json is about to expire or has already expired\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
env:
|
|
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
|
|
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
|
|
|
|
- name: Slack targets notification
|
|
if: ${{ steps.check_targets.outputs.targets_warn == 'true' }}
|
|
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
|
|
with:
|
|
payload: |
|
|
{
|
|
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
|
|
"blocks": [
|
|
{
|
|
"type": "section",
|
|
"text": {
|
|
"type": "mrkdwn",
|
|
"text": "⚠️ https://updates.fleetdm.com/targets.json is about to expire or has already expired\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
env:
|
|
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
|
|
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
|
|
|
|
- name: Slack root notification
|
|
if: ${{ steps.check_root.outputs.root_warn == 'true' }}
|
|
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
|
|
with:
|
|
payload: |
|
|
{
|
|
"text": "${{ job.status }},
|
|
"blocks": [
|
|
{
|
|
"type": "section",
|
|
"text": {
|
|
"type": "mrkdwn",
|
|
"text": "⚠️ https://updates.fleetdm.com/root.json is about to expire or has already expired\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
env:
|
|
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
|
|
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
|