Skip to content

ct-check

ct-check #8

Workflow file for this run

name: ct-check
on:
schedule:
# Zwei Mal täglich UTC. Berlin (CEST = UTC+2): 08:15 → 06:15 UTC, 20:15 → 18:15 UTC.
- cron: '15 6 * * *'
- cron: '15 18 * * *'
workflow_dispatch:
permissions:
contents: write
concurrency:
group: ct-check
cancel-in-progress: false
jobs:
poll:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Prefer IPv4 (GH runner has flaky IPv6 egress to crt.sh)
run: echo 'precedence ::ffff:0:0/96 100' | sudo tee -a /etc/gai.conf
- name: Run CT-Monitor
env:
CT_MONITOR_DOMAINS: berkoc.com
CT_MONITOR_STATE: ./state.json
CT_MONITOR_HTTP_TIMEOUT: '120'
CT_MONITOR_ALERT_CMD: python3 scripts/mail_alert.py
SMTP_HOST: ${{ secrets.SMTP_HOST }}
SMTP_PORT: ${{ secrets.SMTP_PORT }}
SMTP_USER: ${{ secrets.SMTP_USER }}
SMTP_PASS: ${{ secrets.SMTP_PASS }}
SMTP_FROM: ${{ secrets.SMTP_FROM }}
ALERT_TO: ${{ secrets.ALERT_TO }}
ALERT_SUBJECT: 'CT-Monitor: neuer Cert für berkoc.com'
run: |
# crt.sh ist notorisch langsam → 3 Versuche mit Backoff
for attempt in 1 2 3; do
if python3 ct_monitor.py 2> /tmp/err.log; then
if grep -qE 'network error|HTTP [45]' /tmp/err.log; then
echo "Attempt $attempt: network issue, retry in $((attempt*30))s"
cat /tmp/err.log
sleep $((attempt * 30))
continue
fi
cat /tmp/err.log
exit 0
fi
done
echo "ct_monitor.py failed after 3 attempts"
cat /tmp/err.log
exit 1
- name: Commit state changes
run: |
if [[ -n "$(git status --porcelain state.json)" ]]; then
git config user.name 'ct-monitor-bot'
git config user.email 'ct-monitor-bot@users.noreply.github.com'
git add state.json
git commit -m "state: refresh seen certs ($(date -u +%Y-%m-%dT%H:%MZ))"
git push
else
echo "no state diff"
fi