-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added job to check if secrets have expired (#327)
- Loading branch information
1 parent
2a707e4
commit c1daa2d
Showing
2 changed files
with
110 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
name: Daily Check to see if any secrets will expire soon | ||
|
||
on: | ||
workflow_dispatch: | ||
schedule: # At 04:00 every morning | ||
- cron: '0 04 * * *' | ||
|
||
|
||
jobs: | ||
secret-expire-check: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
id-token: write | ||
contents: write | ||
|
||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
|
||
- name: Run check if any secrets will expire within next month | ||
id: secrete-expire-check-month | ||
run: | | ||
./bin/check_secret_expire.sh $(date -d "+1 month" +"%Y-%m-%d") | ||
- name: Slack Notification on Failure | ||
if: ${{ failure() }} | ||
uses: rtCamp/action-slack-notify@v2 | ||
env: | ||
SLACK_CHANNEL: ${{ secrets.MERKELY_SLACK_CI_FAILURES_CHANNEL }} | ||
SLACK_WEBHOOK: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }} | ||
SLACK_USERNAME: GithubActions | ||
SLACK_COLOR: ${{ job.status }} | ||
SLACKIFY_MARKDOWN: true | ||
SLACK_TITLE: Secret has expired | ||
SLACK_MESSAGE: "Some secrets in `cli` is about to or has expired. Please check the \ | ||
[log](${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }}) \ | ||
for more details." | ||
SLACK_FOOTER: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
#!/usr/bin/env bash | ||
set -Eeu | ||
|
||
SCRIPT_NAME=check_secret_expire.sh | ||
ROOT_DIR=$(dirname $(readlink -f $0))/.. | ||
NOW_DATE=$(date +%Y-%m-%d) | ||
|
||
print_help() | ||
{ | ||
cat <<EOF | ||
Usage: $SCRIPT_NAME <options> [yyyy-mm-dd] | ||
Will search all txt-files in secrets directory to see if any of them | ||
has a secret that has expired. You can specify a date if you want to | ||
know if something expires in the future | ||
Options are: | ||
-h Print this help menu | ||
EOF | ||
} | ||
|
||
check_arguments() | ||
{ | ||
while getopts "h" opt; do | ||
case $opt in | ||
h) | ||
print_help | ||
exit 1 | ||
;; | ||
\?) | ||
echo "Invalid option: -$OPTARG" >&2 | ||
exit 1 | ||
;; | ||
esac | ||
done | ||
|
||
# Remove options from command line | ||
shift $((OPTIND-1)) | ||
|
||
if [ $# -eq 1 ]; then | ||
NOW_DATE=$1; shift | ||
fi | ||
} | ||
|
||
echo_if_secret_expired() | ||
{ | ||
local file=$1; shift | ||
local now_date=$1; shift | ||
local expire_date now_sec expire_sec | ||
expire_date=$(grep "secret-expire:" ${file} | sed "s/secret-expire: *//") | ||
|
||
if [[ ! "${now_date}" < "${expire_date}" ]]; then | ||
grep "secret-name:" ${file} | sed "s/secret-name: */ /" | tr '\n' ' ' | ||
grep "secret-expire:" ${file} | ||
return 1 | ||
fi | ||
return 0 | ||
} | ||
|
||
main() | ||
{ | ||
check_arguments "$@" | ||
local file | ||
local result=0 | ||
echo "The following is a list of secrets in 'secrets/*txt' which will have expired on ${NOW_DATE}" | ||
for file in ${ROOT_DIR}/secrets/*txt; do | ||
echo_if_secret_expired ${file} ${NOW_DATE} || result=1 | ||
done | ||
return $result | ||
} | ||
|
||
main "$@" |