Refresh resources #21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Refresh resources | |
| on: | |
| schedule: | |
| - cron: '0 3 * * 1' # Every Monday at 03:00 UTC | |
| workflow_dispatch: | |
| jobs: | |
| refresh: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Node.js from .nvmrc | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: '.nvmrc' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Refresh embedded resources | |
| run: | | |
| npm run res:fetch-log-list -- --force-bump | |
| npm run res:fetch-ca-bundle | |
| - name: Detect changes | |
| id: diff | |
| run: | | |
| if git diff --quiet -- src/resources/; then | |
| echo "changed=false" >> $GITHUB_OUTPUT | |
| else | |
| echo "changed=true" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Generate PR body | |
| if: steps.diff.outputs.changed == 'true' | |
| run: | | |
| DATE=$(date -u +'%Y-%m-%d %H:%M:%SZ') | |
| # Stage only resource files so we can compute blob sizes from the index | |
| git add -- src/resources/ | |
| echo "## Automated weekly refresh of embedded trust resources" > PR_BODY.md | |
| echo >> PR_BODY.md | |
| echo "This pull request refreshes the embedded resources used by the default helpers:" >> PR_BODY.md | |
| echo "- **Cloudflare CFSSL CA bundle (PEM)**: fetched from Cloudflare's open-source cfssl_trust bundle to provide a transparent, auditable root CA set for out-of-the-box verification instead of Node's default bundled trust store." >> PR_BODY.md | |
| echo "- **Unified Certificate Transparency (CT) log list**: built by combining the official Google and Apple CT log lists to maximize coverage and operator diversity for CT validation." >> PR_BODY.md | |
| echo >> PR_BODY.md | |
| echo "### Source references" >> PR_BODY.md | |
| echo "- Cloudflare CFSSL CA bundle: https://raw.githubusercontent.com/cloudflare/cfssl_trust/master/ca-bundle.crt" >> PR_BODY.md | |
| echo "- Google CT log list: https://www.gstatic.com/ct/log_list/v3/log_list_schema.json" >> PR_BODY.md | |
| echo "- Apple CT log list: https://valid.apple.com/ct/log_list/current_log_list.json" >> PR_BODY.md | |
| echo >> PR_BODY.md | |
| echo "**Please review and merge to keep embedded trust data up to date.**" >> PR_BODY.md | |
| - name: Create PR | |
| if: steps.diff.outputs.changed == 'true' | |
| uses: peter-evans/create-pull-request@v6 | |
| with: | |
| token: ${{ secrets.CREATE_PR_TOKEN || github.token }} | |
| commit-message: 'chore(resources): refresh embedded resources' | |
| title: 'chore(resources): refresh embedded resources' | |
| branch: chore/refresh-resources | |
| add-paths: | | |
| src/resources/** | |
| body-path: PR_BODY.md | |