-
Notifications
You must be signed in to change notification settings - Fork 26
95 lines (88 loc) · 3.22 KB
/
ct_reusable_monitoring.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# Copyright 2024 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Certificate Transparency Monitoring Template
on:
workflow_call:
inputs:
once:
description: 'whether to run the identity monitor once or periodically'
default: true
required: false
type: boolean
config:
description: 'multiline yaml of configuration settings for identity monitor run'
required: false
type: string
url:
description: 'Optional URL to pass to the monitor'
required: false
type: string
permissions:
contents: read
env:
UPLOADED_LOG_NAME: ct_checkpoint
LOG_FILE: ct_checkpoint_log.txt
jobs:
detect-workflow:
runs-on: ubuntu-latest
permissions:
id-token: write # Needed to detect the current reusable repository and ref.
outputs:
repository: ${{ steps.detect.outputs.repository }}
ref: ${{ steps.detect.outputs.ref }}
timeout-minutes: 60
steps:
- name: Detect the repository and ref
id: detect
uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
# NOTE: This GHA should not be run concurrently.
concurrency:
group: certificate-transparency-monitor
cancel-in-progress: true
monitor:
runs-on: ubuntu-latest
needs: [detect-workflow]
timeout-minutes: 60
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: ${{ needs.detect-workflow.outputs.repository }}
ref: "${{ needs.detect-workflow.outputs.ref }}"
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version: '1.23'
- name: Download artifact
uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
with:
name: ${{ env.UPLOADED_LOG_NAME }}
# Skip on first run since there will be no checkpoint
continue-on-error: true
- name: Log current checkpoints
run: cat ${{ env.LOG_FILE }}
# Skip on first run
continue-on-error: true
- run: |
go run ./cmd/ct_monitor \
--config ${{ inputs.config }} \
--file ${{ env.LOG_FILE }} \
--once=${{ inputs.once }} \
${{ inputs.url && format('--url {0}', inputs.url) || '' }}
- name: Upload checkpoint
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: ${{ env.UPLOADED_LOG_NAME }}
path: ${{ env.LOG_FILE }}
retention-days: ${{ inputs.artifact_retention_days }}
- name: Log new checkpoints
run: cat ${{ env.LOG_FILE }}