ct-check #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ct-check | |
| on: | |
| schedule: | |
| # Zwei Mal täglich UTC. Berlin (CEST = UTC+2): 08:15 → 06:15 UTC, 20:15 → 18:15 UTC. | |
| - cron: '15 6 * * *' | |
| - cron: '15 18 * * *' | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| concurrency: | |
| group: ct-check | |
| cancel-in-progress: false | |
| jobs: | |
| poll: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Prefer IPv4 (GH runner has flaky IPv6 egress to crt.sh) | |
| run: echo 'precedence ::ffff:0:0/96 100' | sudo tee -a /etc/gai.conf | |
| - name: Run CT-Monitor | |
| env: | |
| CT_MONITOR_DOMAINS: berkoc.com | |
| CT_MONITOR_STATE: ./state.json | |
| CT_MONITOR_HTTP_TIMEOUT: '120' | |
| CT_MONITOR_ALERT_CMD: python3 scripts/mail_alert.py | |
| SMTP_HOST: ${{ secrets.SMTP_HOST }} | |
| SMTP_PORT: ${{ secrets.SMTP_PORT }} | |
| SMTP_USER: ${{ secrets.SMTP_USER }} | |
| SMTP_PASS: ${{ secrets.SMTP_PASS }} | |
| SMTP_FROM: ${{ secrets.SMTP_FROM }} | |
| ALERT_TO: ${{ secrets.ALERT_TO }} | |
| ALERT_SUBJECT: 'CT-Monitor: neuer Cert für berkoc.com' | |
| run: | | |
| # crt.sh ist notorisch langsam → 3 Versuche mit Backoff | |
| for attempt in 1 2 3; do | |
| if python3 ct_monitor.py 2> /tmp/err.log; then | |
| if grep -qE 'network error|HTTP [45]' /tmp/err.log; then | |
| echo "Attempt $attempt: network issue, retry in $((attempt*30))s" | |
| cat /tmp/err.log | |
| sleep $((attempt * 30)) | |
| continue | |
| fi | |
| cat /tmp/err.log | |
| exit 0 | |
| fi | |
| done | |
| echo "ct_monitor.py failed after 3 attempts" | |
| cat /tmp/err.log | |
| exit 1 | |
| - name: Commit state changes | |
| run: | | |
| if [[ -n "$(git status --porcelain state.json)" ]]; then | |
| git config user.name 'ct-monitor-bot' | |
| git config user.email 'ct-monitor-bot@users.noreply.github.com' | |
| git add state.json | |
| git commit -m "state: refresh seen certs ($(date -u +%Y-%m-%dT%H:%MZ))" | |
| git push | |
| else | |
| echo "no state diff" | |
| fi |