Global Cheese Positioning System #28217
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Global Cheese Positioning System | |
| on: | |
| push: | |
| pull_request: | |
| schedule: | |
| - cron: "15 * * * *" | |
| env: | |
| # Arguments for checks should be set here and are public | |
| NAMELIST: "a.pivcac.prod.login.gov a.pivcac.staging.login.gov" | |
| CERTLIST: "secure.login.gov idp.staging.login.gov a.pivcac.prod.login.gov a.pivcac.staging.login.gov login.gov www.login.gov mta-sts.login.gov" | |
| DNSSECLIST: "login.gov identitysandbox.gov" | |
| jobs: | |
| runchecks: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Make Temporary Results Dir | |
| run: mkdir -p temp | |
| - name: Setup Python 3 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: 3.12 | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| ### START CHECKS | |
| - name: Lookup DNS Records | |
| run: bin/namecheck.py ${NAMELIST} > temp/namecheck.json | |
| - name: Lookup DNSSEC Records | |
| run: bin/dnsseccheck.py ${DNSSECLIST} > temp/dnsseccheck.json | |
| - name: Gather TLS Certificate Chains | |
| run: bin/certcheck.py ${CERTLIST} > temp/certcheck.json | |
| ### END CHECKS | |
| - name: Store Current Results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: cheeserun-results-${{github.run_id}} | |
| path: temp/ | |
| compare: | |
| needs: runchecks | |
| runs-on: ubuntu-latest | |
| env: | |
| CHANGED: 0 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.head_ref }} | |
| - name: Restore Latest Results | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: cheeserun-results-${{github.run_id}} | |
| path: temp/ | |
| - name: Overwrite Saved Results | |
| run: | | |
| rm -rf results/* | |
| cp -r temp/* results/ | |
| git add -A results | |
| - name: Compare Results | |
| run: git diff --exit-code --staged results/ >> temp/changeset.diff || echo "CHANGED=1" >> $GITHUB_ENV | |
| - name: Commit and Push Changes | |
| if: env.CHANGED == 1 | |
| uses: actions-x/commit@v6 | |
| - name: Output Change Report | |
| id: changeset | |
| if: env.CHANGED == 1 | |
| run: | | |
| cat temp/changeset.diff | |
| echo "COMMITID=$(git rev-parse HEAD)" >> $GITHUB_ENV | |
| - name: Slack Changes | |
| # Requires SLACK_WEBHOOK_URL and SLACK_CHANNEL secrets to be | |
| # set. | |
| if: env.CHANGED == 1 && github.ref == 'refs/heads/main' | |
| uses: edge/simple-slack-notify@master | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| with: | |
| username: "CheeseWatch" | |
| channel: ${{ secrets.SLACK_CHANNEL }} | |
| color: "danger" | |
| text: "The cheese has moved! See: https://github.com/${{ github.repository }}/commit/${{ env.COMMITID }}" |