Update TLS Fingerprints #707
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update TLS Fingerprints | |
| # Check for new TLS certificate fingerprints for three hosts used at 1:26 every morning. | |
| on: | |
| #push: | |
| #pull_request: | |
| schedule: | |
| - cron: '26 01 * * *' | |
| jobs: | |
| update-fingerprint: | |
| runs-on: ubuntu-latest | |
| env: | |
| CONFIG_FILE: ./DCTransistor/config.h | |
| BI_CONFIG_FILE: ./DCTransistor-Bidirectional/config.h | |
| outputs: | |
| compile: ${{ steps.update-fingerprints.outputs.compile }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Instal openssl | |
| run: sudo apt-get install -y openssl | |
| - name: Update Fingerprints | |
| id: update-fingerprints | |
| run: | | |
| function get_current_fingerprint { | |
| echo | openssl s_client -showcerts -servername $1-connect $1:443 2>/dev/null | openssl x509 -inform pem -fingerprint -sha1 | head -n 1 | cut -d '=' -f 2 | sed "s/:/ /g"; | |
| } | |
| WMATA_SERVER=$(grep WMATA_ENDPOINT $CONFIG_FILE | head -n 1 | cut -d '/' -f 3) | |
| UPDATE_SERVER=$(grep UPDATE_HOST $CONFIG_FILE | head -n 1 | cut -d '"' -f 2) | |
| GITHUB_SERVER=$(grep LATEST_VERSION_URL $CONFIG_FILE | head -n 1 | cut -d '/' -f 3) | |
| GIS_SERVER=$(grep GIS_CONFIG_ENDPOINT $CONFIG_FILE | head -n 1 | cut -d '/' -f 3) | |
| GIS_SERVICES_SERVER=$(grep GIS_TRAIN_LOC_ENDPOINT $CONFIG_FILE | head -n 1 | cut -d '/' -f 3) | |
| server_array=( $WMATA_SERVER $UPDATE_SERVER $GITHUB_SERVER $GIS_SERVER $GIS_SERVICES_SERVER ) | |
| for server in ${server_array[@]}; do | |
| fingerprint_var=$(echo ${server}_fingerprint | sed 's/\./_/g' ) | |
| fingerprint_var=${fingerprint_var^^} | |
| conf_string=$(grep $fingerprint_var $CONFIG_FILE | head -n 1 | cut -d '#' -f 2) | |
| cur_fingerprint=$(get_current_fingerprint $server) | |
| new_conf_string=$(echo -n "define ${fingerprint_var} \""${cur_fingerprint}"\"") | |
| sed -i -e "s/${conf_string}/${new_conf_string}/" ${CONFIG_FILE} | |
| sed -i -e "s/${conf_string}/${new_conf_string}/" ${BI_CONFIG_FILE} | |
| done | |
| if [[ $(git status) != *"nothing to commit, working tree clean"* ]]; then | |
| git config user.email "<>" | |
| git config user.name "SSL Update Action" | |
| git add ${CONFIG_FILE} | |
| git add ${BI_CONFIG_FILE} | |
| git commit -m "Update SSL fingerprint" | |
| git push origin main | |
| echo "compile=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "No updates" | |
| echo "compile=false" >> $GITHUB_OUTPUT | |
| fi | |
| call-update-binary: | |
| needs: update-fingerprint | |
| if: needs.update-fingerprint.outputs.compile == 'true' | |
| uses: ./.github/workflows/compile-sketches.yml | |
| secrets: inherit | |
| with: | |
| auto-update: true |