Check TUF timestamps #444

Workflow file for this run

.github/workflows/check-tuf-timestamps.yml at 5319156

	name: Check TUF timestamps

	on:
	pull_request:
	paths:
	- ".github/workflows/check-tuf-timestamps.yml"
	workflow_dispatch: # Manual
	schedule:
	- cron: "0 10,22 * * *"

	# This allows a subsequently queued workflow run to interrupt previous runs
	concurrency:
	group: ${{ github.workflow }}-${{ github.head_ref \|\| github.run_id}}
	cancel-in-progress: true

	defaults:
	run:
	# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
	shell: bash

	permissions:
	contents: read

	jobs:
	test-go:
	strategy:
	matrix:
	os: [ubuntu-latest]
	runs-on: ${{ matrix.os }}

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	egress-policy: audit

	- name: Check remote timestamp.json file
	id: check_timestamp
	run: \|
	expires=$(curl -s http://tuf.fleetctl.com/timestamp.json \| jq -r '.signed.expires' \| cut -c 1-10)
	today=$(date "+%Y-%m-%d")
	warning_at=$(date -d "$today + 4 day" "+%Y-%m-%d")
	expires_sec=$(date -d "$expires" "+%s")
	warning_at_sec=$(date -d "$warning_at" "+%s")

	if [ "$expires_sec" -le "$warning_at_sec" ]; then
	echo "timestamp_warn=true" >> ${GITHUB_OUTPUT}
	else
	echo "timestamp_warn=false" >> ${GITHUB_OUTPUT}
	fi

	- name: Check remote snapshot.json file
	id: check_snapshot
	run: \|
	expires=$(curl -s http://tuf.fleetctl.com/snapshot.json \| jq -r '.signed.expires' \| cut -c 1-10)
	today=$(date "+%Y-%m-%d")
	warning_at=$(date -d "$today + 30 day" "+%Y-%m-%d")
	expires_sec=$(date -d "$expires" "+%s")
	warning_at_sec=$(date -d "$warning_at" "+%s")

	if [ "$expires_sec" -le "$warning_at_sec" ]; then
	echo "snapshot_warn=true" >> ${GITHUB_OUTPUT}
	else
	echo "snapshot_warn=false" >> ${GITHUB_OUTPUT}
	fi

	- name: Check remote targets.json file
	id: check_targets
	run: \|
	expires=$(curl -s http://tuf.fleetctl.com/targets.json \| jq -r '.signed.expires' \| cut -c 1-10)
	today=$(date "+%Y-%m-%d")
	warning_at=$(date -d "$today + 30 day" "+%Y-%m-%d")
	expires_sec=$(date -d "$expires" "+%s")
	warning_at_sec=$(date -d "$warning_at" "+%s")

	if [ "$expires_sec" -le "$warning_at_sec" ]; then
	echo "targets_warn=true" >> ${GITHUB_OUTPUT}
	else
	echo "targets_warn=false" >> ${GITHUB_OUTPUT}
	fi

	- name: Check remote root.json file
	id: check_root
	run: \|
	expires=$(curl -s http://tuf.fleetctl.com/root.json \| jq -r '.signed.expires' \| cut -c 1-10)
	today=$(date "+%Y-%m-%d")
	warning_at=$(date -d "$today + 30 day" "+%Y-%m-%d")
	expires_sec=$(date -d "$expires" "+%s")
	warning_at_sec=$(date -d "$warning_at" "+%s")

	if [ "$expires_sec" -le "$warning_at_sec" ]; then
	echo "root_warn=true" >> ${GITHUB_OUTPUT}
	else
	echo "root_warn=false" >> ${GITHUB_OUTPUT}
	fi

	- name: Slack timestamp notification
	if: ${{ steps.check_timestamp.outputs.timestamp_warn == 'true' }}
	uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
	with:
	payload: \|
	{
	"text": "${{ job.status }}\n${{ github.event.pull_request.html_url \|\| github.event.head.html_url }}",
	"blocks": [
	{
	"type": "section",
	"text": {
	"type": "mrkdwn",
	"text": "⚠️ TUF timestamp.json is about to expire or has already expired\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
	}
	}
	]
	}
	env:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
	SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

	- name: Slack snapshot notification
	if: ${{ steps.check_snapshot.outputs.snapshot_warn == 'true' }}
	uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
	with:
	payload: \|
	{
	"text": "${{ job.status }}\n${{ github.event.pull_request.html_url \|\| github.event.head.html_url }}",
	"blocks": [
	{
	"type": "section",
	"text": {
	"type": "mrkdwn",
	"text": "⚠️ TUF snapshot.json is about to expire or has already expired\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
	}
	}
	]
	}
	env:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
	SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

	- name: Slack targets notification
	if: ${{ steps.check_targets.outputs.targets_warn == 'true' }}
	uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
	with:
	payload: \|
	{
	"text": "${{ job.status }}\n${{ github.event.pull_request.html_url \|\| github.event.head.html_url }}",
	"blocks": [
	{
	"type": "section",
	"text": {
	"type": "mrkdwn",
	"text": "⚠️ TUF targets.json is about to expire or has already expired\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
	}
	}
	]
	}
	env:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
	SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

	- name: Slack root notification
	if: ${{ steps.check_root.outputs.root_warn == 'true' }}
	uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
	with:
	payload: \|
	{
	"text": "${{ job.status }}\n${{ github.event.pull_request.html_url \|\| github.event.head.html_url }}",
	"blocks": [
	{
	"type": "section",
	"text": {
	"type": "mrkdwn",
	"text": "⚠️ TUF root.json is about to expire or has already expired\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
	}
	}
	]
	}
	env:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
	SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Check TUF timestamps #444

Workflow file

Check TUF timestamps #444

Jobs

Run details

Workflow file for this run