Skip to content

Comments

Create a GH issue when trusted root certs are outdated#235

Merged
asgrim merged 3 commits intophp:mainfrom
asgrim:create-issue-when-trusted-root-outdated
May 6, 2025
Merged

Create a GH issue when trusted root certs are outdated#235
asgrim merged 3 commits intophp:mainfrom
asgrim:create-issue-when-trusted-root-outdated

Conversation

@asgrim
Copy link
Contributor

@asgrim asgrim commented May 5, 2025

Fixes #212

@asgrim asgrim added this to the 0.11.0 milestone May 5, 2025
@asgrim asgrim self-assigned this May 5, 2025
@asgrim asgrim added the enhancement New feature or request label May 5, 2025
@asgrim asgrim enabled auto-merge May 5, 2025 22:20
@asgrim asgrim disabled auto-merge May 5, 2025 22:21
asgrim
asgrim commented May 6, 2025
View reviewed changes
asgrim
asgrim commented May 6, 2025
View reviewed changes
@asgrim asgrim merged commit 5b24d98 into php:main May 6, 2025
19 checks passed
@asgrim asgrim deleted the create-issue-when-trusted-root-outdated branch May 6, 2025 20:57
TimWolla
TimWolla reviewed May 6, 2025
View reviewed changes
.github/workflows/check-outdated-trusted-root.yml
schedule:
- cron: "0 0 * * *"

jobs:
Copy link
Member

@TimWolla TimWolla May 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing permissions section: I believe all repositories in the php/* organization are configured with read-only GHA permissions by default. Thus this is unable to create the issue. You'll need:

permissions:
  contents: read
  issues: write

see: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token

Copy link
Contributor Author

@asgrim asgrim May 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Good catch, tested it on my own fork, but that doesn't have that restriction I think :) #237

Copy link
Member

@TimWolla TimWolla May 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quite possible. Organization-owned repositories behave a little differently. You can sync up the permissions here by switching to the second setting:

image

That would likely be at https://github.com/asgrim/pie/settings/actions

TimWolla
TimWolla reviewed May 6, 2025
View reviewed changes
.github/workflows/check-outdated-trusted-root.yml
diff resources/trusted-root.jsonl resources/new-trusted-root.jsonl \
&& echo "Trusted root cert has not changed, no action required." \
|| ( \
(gh issue list | grep -i "Trusted root needs updating") \
Copy link
Member

@TimWolla TimWolla May 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this might not work if too many open issues exist. This should not happen in practice, but perhaps you could make this a little smarter by leveraging the filter flags: https://cli.github.com/manual/gh_issue_list

Something: gh issue list --author "github-actions[bot]" might help. Or just create a dedicated label.

@asgrim asgrim mentioned this pull request May 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@TimWolla TimWolla TimWolla left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@asgrim asgrim

Labels

enhancement New feature or request

Projects

None yet

Milestone

0.11.0

Development

Successfully merging this pull request may close these issues.

Automate maintenance of trusted roots

2 participants

@asgrim @TimWolla