Skip to content

Commit

Permalink
Added job to check if secrets have expired (#327)
Browse files Browse the repository at this point in the history
  • Loading branch information
ToreMerkely authored Sep 25, 2024
1 parent 2a707e4 commit c1daa2d
Show file tree
Hide file tree
Showing 2 changed files with 110 additions and 0 deletions.
38 changes: 38 additions & 0 deletions .github/workflows/secret-expire-check.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: Daily Check to see if any secrets will expire soon

on:
workflow_dispatch:
schedule: # At 04:00 every morning
- cron: '0 04 * * *'


jobs:
secret-expire-check:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write

steps:
- name: Checkout
uses: actions/checkout@v4

- name: Run check if any secrets will expire within next month
id: secrete-expire-check-month
run: |
./bin/check_secret_expire.sh $(date -d "+1 month" +"%Y-%m-%d")
- name: Slack Notification on Failure
if: ${{ failure() }}
uses: rtCamp/action-slack-notify@v2
env:
SLACK_CHANNEL: ${{ secrets.MERKELY_SLACK_CI_FAILURES_CHANNEL }}
SLACK_WEBHOOK: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }}
SLACK_USERNAME: GithubActions
SLACK_COLOR: ${{ job.status }}
SLACKIFY_MARKDOWN: true
SLACK_TITLE: Secret has expired
SLACK_MESSAGE: "Some secrets in `cli` is about to or has expired. Please check the \
[log](${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }}) \
for more details."
SLACK_FOOTER:
72 changes: 72 additions & 0 deletions bin/check_secret_expire.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
#!/usr/bin/env bash
set -Eeu

SCRIPT_NAME=check_secret_expire.sh
ROOT_DIR=$(dirname $(readlink -f $0))/..
NOW_DATE=$(date +%Y-%m-%d)

print_help()
{
cat <<EOF
Usage: $SCRIPT_NAME <options> [yyyy-mm-dd]
Will search all txt-files in secrets directory to see if any of them
has a secret that has expired. You can specify a date if you want to
know if something expires in the future
Options are:
-h Print this help menu
EOF
}

check_arguments()
{
while getopts "h" opt; do
case $opt in
h)
print_help
exit 1
;;
\?)
echo "Invalid option: -$OPTARG" >&2
exit 1
;;
esac
done

# Remove options from command line
shift $((OPTIND-1))

if [ $# -eq 1 ]; then
NOW_DATE=$1; shift
fi
}

echo_if_secret_expired()
{
local file=$1; shift
local now_date=$1; shift
local expire_date now_sec expire_sec
expire_date=$(grep "secret-expire:" ${file} | sed "s/secret-expire: *//")

if [[ ! "${now_date}" < "${expire_date}" ]]; then
grep "secret-name:" ${file} | sed "s/secret-name: */ /" | tr '\n' ' '
grep "secret-expire:" ${file}
return 1
fi
return 0
}

main()
{
check_arguments "$@"
local file
local result=0
echo "The following is a list of secrets in 'secrets/*txt' which will have expired on ${NOW_DATE}"
for file in ${ROOT_DIR}/secrets/*txt; do
echo_if_secret_expired ${file} ${NOW_DATE} || result=1
done
return $result
}

main "$@"

0 comments on commit c1daa2d

Please sign in to comment.