hashicorp/hashicat-azure/secret-expiration #574
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (c) HashiCorp, Inc. | |
# SPDX-License-Identifier: Apache-2.0 | |
# | |
# See IL-574 for secret and variables definitions | |
name: hashicorp/hashicat-azure/secret-expiration | |
on: | |
workflow_dispatch: | |
schedule: | |
# This is UTC | |
- cron: 37 4 * * * | |
permissions: {} | |
jobs: | |
check-arm-client-secret: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Build Message | |
id: build-message | |
shell: python | |
continue-on-error: true | |
run: |- | |
import datetime | |
import os | |
expiry_date = datetime.datetime.fromisoformat("${{ vars.ARM_CLIENT_SECRET_EXPIRY }}") | |
now = datetime.date.today() | |
time_left = expiry_date.date() - now | |
days_left = time_left.days | |
print(f"ARM_CLIENT_SECRET has {days_left} days left") | |
# Set some output to trigger the Slack step | |
gho = open(os.environ.get('GITHUB_OUTPUT'), 'a') | |
gho.writelines([f'days_left={days_left}\n']) | |
if days_left <= int("${{ vars.ARM_CLIENT_SECRET_MIN_DAYS_REMAINING }}"): | |
gho.writelines(['do_notify=true\n']) | |
else: | |
gho.writelines(['do_notify=false\n']) | |
gho.close() | |
- name: Notify Slack on Build Message Error | |
id: notify-build-message-error | |
if: ${{ steps.build-message.outcome == 'failure' }} | |
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 | |
with: | |
channel-id: ${{ vars.SLACK_NOTIFICATION_CHANNELS_FAIL_ONLY }} | |
payload: |- | |
{ | |
"blocks": [ | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": ":exclamation: Workflow <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }} #${{ github.run_number }}> *FAILED*" | |
} | |
} | |
] | |
} | |
env: | |
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
- name: Notify Slack | |
id: notify-slack | |
if: ${{ steps.build-message.outputs.do_notify == 'true' }} | |
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 | |
with: | |
channel-id: ${{ vars.SLACK_NOTIFICATION_CHANNELS_FAIL_ONLY }} | |
payload: |- | |
{ | |
"blocks": [ | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": ":exclamation: Workflow <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }} #${{ github.run_number }}> *ALERT*" | |
} | |
}, | |
{ | |
"type": "divider" | |
}, | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "The secret ARM_CLIENT_SECRET has ${{ steps.build-message.outputs.days_left }} days left, less than ${{ vars.ARM_CLIENT_SECRET_MIN_DAYS_REMAINING }}. See IL-574 for information on how to renew it" | |
} | |
} | |
] | |
} | |
env: | |
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} |