Include root.json in check-tuf-timestamps.yml (#23608)

fleetdm · Nov 7, 2024 · e525eed · e525eed
1 parent ff90aad
commit e525eed
Showing 1 changed file with 44 additions and 5 deletions.
diff --git a/.github/workflows/check-tuf-timestamps.yml b/.github/workflows/check-tuf-timestamps.yml
@@ -35,21 +35,38 @@ jobs:
         egress-policy: audit
 
     - name: Check remote timestamp.json file
+      id: check_timestamp
       run: |
         expires=$(curl -s http://tuf.fleetctl.com/timestamp.json | jq -r '.signed.expires' | cut -c 1-10)
         today=$(date "+%Y-%m-%d")
         warning_at=$(date -d "$today + 4 day" "+%Y-%m-%d")
         expires_sec=$(date -d "$expires" "+%s")
         warning_at_sec=$(date -d "$warning_at" "+%s")
-        
+
         if [ "$expires_sec" -le "$warning_at_sec" ]; then
-            exit 1
+            echo "timestamp_warn=true" >> ${GITHUB_OUTPUT}
         else
-            exit 0
+            echo "timestamp_warn=false" >> ${GITHUB_OUTPUT}
         fi
 
-    - name: Slack Notification
-      if: failure()
+    - name: Check remote root.json file
+      id: check_root
+      run: |
+        expires=$(curl -s http://tuf.fleetctl.com/root.json | jq -r '.signed.expires' | cut -c 1-10)
+        today=$(date "+%Y-%m-%d")
+        warning_at=$(date -d "$today + 30 day" "+%Y-%m-%d")
+        expires_sec=$(date -d "$expires" "+%s")
+        warning_at_sec=$(date -d "$warning_at" "+%s")
+
+        if [ "$expires_sec" -le "$warning_at_sec" ]; then
+            echo "root_warn=true" >> ${GITHUB_OUTPUT}
+        else
+            echo "root_warn=false" >> ${GITHUB_OUTPUT}
+        fi
+
+
+    - name: Slack Timestamp Notification
+      if: ${{ steps.check_timestamp.outputs.timestamp_warn  == 'true' }}
       uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
       with:
         payload: |
@@ -68,3 +85,25 @@ jobs:
       env:
         SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
         SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
+
+    - name: Slack Root Notification
+      if: ${{ steps.check_root.outputs.root_warn  == 'true' }}
+      uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
+      with:
+        payload: |
+          {
+            "text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
+            "blocks": [
+              {
+                "type": "section",
+                "text": {
+                  "type": "mrkdwn",
+                  "text": "⚠️ TUF root.json is about to expire or has already expired\nhttps://github.com/fleetdm/fleet/actions/runs/${{  github.run_id }}"
+                }
+              }
+            ]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
+        SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
+