Skip to content

Create a GH issue when trusted root certs are outdated #235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 6, 2025
Merged

Create a GH issue when trusted root certs are outdated #235

merged 3 commits into from
May 6, 2025
+24 −0

Conversation

asgrim
Copy link
Collaborator

@asgrim asgrim commented May 5, 2025

Fixes #212

@asgrim asgrim added this to the 0.11.0 milestone May 5, 2025
@asgrim asgrim self-assigned this May 5, 2025
@asgrim asgrim added the enhancement New feature or request label May 5, 2025
@asgrim asgrim enabled auto-merge May 5, 2025 22:20
@asgrim asgrim disabled auto-merge May 5, 2025 22:21
asgrim
asgrim commented May 6, 2025
View reviewed changes
asgrim
asgrim commented May 6, 2025
View reviewed changes
@asgrim asgrim merged commit 5b24d98 into php:main May 6, 2025
19 checks passed
@asgrim asgrim deleted the create-issue-when-trusted-root-outdated branch May 6, 2025 20:57
TimWolla
TimWolla reviewed May 6, 2025
View reviewed changes
.github/workflows/check-outdated-trusted-root.yml
schedule:
- cron: "0 0 * * *"

jobs:
Copy link
Member

@TimWolla TimWolla May 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing permissions section: I believe all repositories in the php/* organization are configured with read-only GHA permissions by default. Thus this is unable to create the issue. You'll need:

permissions:
  contents: read
  issues: write

see: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Good catch, tested it on my own fork, but that doesn't have that restriction I think :) #237

Copy link
Member

@TimWolla TimWolla May 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quite possible. Organization-owned repositories behave a little differently. You can sync up the permissions here by switching to the second setting:

image

That would likely be at https://github.com/asgrim/pie/settings/actions

TimWolla
TimWolla reviewed May 6, 2025
View reviewed changes
.github/workflows/check-outdated-trusted-root.yml
diff resources/trusted-root.jsonl resources/new-trusted-root.jsonl \
&& echo "Trusted root cert has not changed, no action required." \
|| ( \
(gh issue list | grep -i "Trusted root needs updating") \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this might not work if too many open issues exist. This should not happen in practice, but perhaps you could make this a little smarter by leveraging the filter flags: https://cli.github.com/manual/gh_issue_list

Something: gh issue list --author "github-actions[bot]" might help. Or just create a dedicated label.

@asgrim asgrim mentioned this pull request May 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TimWolla TimWolla TimWolla left review comments

Assignees

@asgrim asgrim

Labels
enhancement New feature or request
Projects
None yet
Milestone
0.11.0
Development

Successfully merging this pull request may close these issues.

Automate maintenance of trusted roots
2 participants
@asgrim @TimWolla