This repository was archived by the owner on May 12, 2026. It is now read-only.
GHA to Check Key Vault Certificates Expiration #1127
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: GHA to Check Key Vault Certificates Expiration | |
| on: | |
| schedule: | |
| # The workflow runs every day at 8:07am | |
| - cron: "7 13 * * *" #UTC-5 | |
| env: | |
| AZURE_CREDENTIALS: '{"clientId":"${{ secrets.REPO_AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.REPO_AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.REPO_AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.REPO_AZURE_TENANT_ID }}"}' | |
| jobs: | |
| check-certificates: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check Out Changes | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 | |
| - name: Get runner ip | |
| id: runner_ip | |
| uses: ./.github/actions/runner-ip | |
| - name: Connect to VPN & Login into Azure | |
| uses: ./.github/actions/vpn-azure | |
| with: | |
| tls-key: ${{ secrets.TLS_KEY }} | |
| ca-cert: ${{ secrets.CA_CRT}} | |
| user-crt: ${{ secrets.USER_CRT }} | |
| user-key: ${{ secrets.USER_KEY }} | |
| sp-creds: ${{ env.AZURE_CREDENTIALS }} | |
| - name: Add Runner IP to Key Vault Firewall | |
| run: | | |
| az keyvault network-rule add --name pdhstaging-keyvault --ip-address ${{ steps.runner_ip.outputs.ip-address }} | |
| az keyvault network-rule add --name pdhprod-keyvault --ip-address ${{ steps.runner_ip.outputs.ip-address }} | |
| - name: List KeyVault Certificates in Prod & Staging | |
| id: cert_list | |
| run: | | |
| az keyvault certificate list --vault-name pdhprod-keyvault \ | |
| --query "[?attributes.expires <= '$(date -u -d '+30 days' +%Y-%m-%dT%H:%M:%S.%NZ)'].{Name:name, Expiry:attributes.expires}" \ | |
| -o json | jq -r '. | map("\(.Name) expires \(.Expiry)") | .[]' > certificates.json | |
| az keyvault certificate list --vault-name pdhstaging-keyvault \ | |
| --query "[?attributes.expires <= '$(date -u -d '+30 days' +%Y-%m-%dT%H:%M:%S.%NZ)'].{Name:name, Expiry:attributes.expires}" \ | |
| -o json | jq -r '. | map("\(.Name) expires \(.Expiry)") | .[]' >> certificates.json | |
| cat certificates.json | |
| - name: Format output | |
| id: format_out | |
| run: | | |
| EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
| echo "LIST<<$EOF" >> $GITHUB_OUTPUT | |
| cat certificates.json >> $GITHUB_OUTPUT | |
| echo "$EOF" >> $GITHUB_OUTPUT | |
| - name: Slack Notification | |
| if: ${{ steps.format_out.outputs.LIST != '' }} | |
| uses: ./.github/actions/notifications | |
| with: | |
| method: slack | |
| title: These Certificates are expired or will expire in 30 days or less | |
| message: | | |
| ${{ steps.format_out.outputs.LIST }} | |
| icon-emoji: ':bell:' | |
| channel: cdc-reportstream-bot-notifications | |
| webhook-url: ${{ secrets.SLACK_WEBHOOK_URL_NAVA_BOT_NOTIFICATIONS_CHANNEL }} # Updated webhook secret | |
| color: warning | |
| - name: Remove Runner IP from the KeyVault Firewalls | |
| run: | | |
| az keyvault network-rule remove --name pdhstaging-keyvault --ip-address ${{ steps.runner_ip.outputs.ip-address }} | |
| az keyvault network-rule remove --name pdhprod-keyvault --ip-address ${{ steps.runner_ip.outputs.ip-address }} |