mirror of
https://github.com/nodejs/node.git
synced 2024-11-25 08:19:38 +01:00
c4103c1ccf
Add a Github Action that checks for new versions of the `OpenSSL` library, and creates a PR to update it if a newer version than the one present in the repo is found. Refs: https://github.com/nodejs/security-wg/issues/828 PR-URL: https://github.com/nodejs/node/pull/45605 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
71 lines
3.0 KiB
YAML
71 lines
3.0 KiB
YAML
name: OpenSSL update
|
|
on:
|
|
schedule:
|
|
# Run once a week at 00:05 AM UTC on Sunday.
|
|
- cron: 5 0 * * 0
|
|
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
openssl-update:
|
|
if: github.repository == 'nodejs/node'
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
with:
|
|
persist-credentials: false
|
|
- name: Check if update branch already exists
|
|
run: |
|
|
BRANCH_EXISTS=$(git ls-remote --heads origin actions/tools-update-openssl)
|
|
echo "BRANCH_EXISTS=$BRANCH_EXISTS" >> $GITHUB_ENV
|
|
- name: Check and download new OpenSSL version
|
|
# Only run rest of the workflow if the update branch does not yet exist
|
|
if: ${{ env.BRANCH_EXISTS == '' }}
|
|
run: |
|
|
NEW_VERSION=$(gh api repos/quictls/openssl/releases -q '.[].tag_name|select(contains("openssl-3"))|ltrimstr("openssl-")' | head -n1)
|
|
NEW_VERSION_NO_RELEASE_1=$(case $NEW_VERSION in *quic1) echo ${NEW_VERSION%1};; *) echo $NEW_VERSION;; esac)
|
|
VERSION_H="./deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h"
|
|
CURRENT_VERSION=$(grep "OPENSSL_FULL_VERSION_STR" $VERSION_H | sed -n "s/^.*VERSION_STR \"\(.*\)\"/\1/p")
|
|
if [ "$NEW_VERSION_NO_RELEASE_1" != "$CURRENT_VERSION" ]; then
|
|
echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV
|
|
echo "HAS_UPDATE=true" >> $GITHUB_ENV
|
|
./tools/dep_updaters/update-openssl.sh download "$NEW_VERSION"
|
|
fi
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
|
|
- name: Create PR with first commit
|
|
if: env.HAS_UPDATE
|
|
uses: gr2m/create-or-update-pull-request-action@v1
|
|
# Creates a PR with the new OpenSSL source code committed
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
|
|
with:
|
|
author: Node.js GitHub Bot <github-bot@iojs.org>
|
|
body: This is an automated update of OpenSSL to ${{ env.NEW_VERSION }}.
|
|
branch: actions/tools-update-openssl # Custom branch *just* for this Action.
|
|
commit-message: 'deps: upgrade openssl sources to quictls/openssl-${{ env.NEW_VERSION }}'
|
|
labels: dependencies
|
|
title: 'deps: update OpenSSL to ${{ env.NEW_VERSION }}'
|
|
path: deps/openssl
|
|
- name: Regenerate platform specific files
|
|
if: env.HAS_UPDATE
|
|
run: |
|
|
sudo apt install -y nasm libtext-template-perl
|
|
./tools/dep_updaters/update-openssl.sh regenerate
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
|
|
- name: Add second commit
|
|
# Adds a second commit to the PR with the generated platform-dependent files
|
|
if: env.HAS_UPDATE
|
|
uses: gr2m/create-or-update-pull-request-action@v1
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
|
|
with:
|
|
author: Node.js GitHub Bot <github-bot@iojs.org>
|
|
branch: actions/tools-update-openssl # Custom branch *just* for this Action.
|
|
commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}'
|
|
path: deps/openssl
|