.github/workflows/check_gpg_key_not_expired.yml

name: "Check Mondoo's GPG key is not expired"
on:
  workflow_dispatch:
  # Run every day at 00:00
  schedule:
    - cron:  '0 0 * * *'

jobs:
  check_gpg:
    name: Check Mondoo's GPG key has not expired
    env:
      # C07R9GSGKEU == #mondoo-ops
      SLACK_BOT_CHANNEL_ID: "C07R9GSGKEU"

    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
        uses: actions/checkout@v4

      - id: slack
        uses: slackapi/slack-github-action@v1.27.0
        with:
          channel-id: ${{ env.SLACK_BOT_CHANNEL_ID }}
          payload: |
            {
              "attachments": [
                {
                  "color": "#FFFF00",
                  "blocks": [
                    {
                      "type": "section",
                      "fields": [
                        {
                          "type": "mrkdwn",
                          "text": "<${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}|${{ github.workflow }}>"
                        },
                        {
                          "type": "mrkdwn",
                          "text": "*Status:*\n`In Progress`"
                        }
                      ]
                    }
                  ]
                }
              ]
            }
        env:
          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
          
      - name: Install Mondoo cnspec
        shell: bash
        run: |
          echo Installing Mondoo cnspec...
          bash -xc "$(curl -sSL https://install.mondoo.com/sh/cnspec)"
      
      - name: Check expiration of public-package-signing.gpg
        shell: bash
        run: |
          cnspec providers install network
          cnspec scan local --detect-cicd --score-threshold 100 --policy-bundle test/cnspec/check-gpg.mql.yaml -o full

      - name: Install OpenPGP & cURL
        run: sudo apt install gpg -y

      - name: Check Public GPG Signing Key Harmony
        shell: bash
        run: |
          bash test/scripts/cert-harmony.sh

      - uses: slackapi/slack-github-action@v1.27.0
        if: always()
        with:
          channel-id: ${{ env.SLACK_BOT_CHANNEL_ID }}
          update-ts: ${{ steps.slack.outputs.ts }}
          payload: |
             {
              "attachments": [
                {
                  "color": "${{ job.status == 'success' && '#00FF00' || job.status == 'failure' && '#FF0000' || '#FFA500' }}",
                  "blocks": [
                    {
                      "type": "section",
                      "fields": [
                        {
                          "type": "mrkdwn",
                          "text": "<${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}|${{ github.workflow }}>"
                        },
                        {
                          "type": "mrkdwn",
                          "text": "*Status:*\n`${{ job.status }}`"
                        }
                      ]
                    }
                  ]
                }
                ]
              }
        env:
          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}