Skip to content

hashicorp/hashicat-azure/secret-expiration #130

hashicorp/hashicat-azure/secret-expiration

hashicorp/hashicat-azure/secret-expiration #130

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: Apache-2.0
#
# See IL-574 for secret and variables definitions
name: hashicorp/hashicat-azure/secret-expiration
on:
workflow_dispatch:
schedule:
# This is UTC
- cron: 37 4 * * *
permissions: {}
jobs:
check-arm-client-secret:
runs-on: ubuntu-latest
steps:
- name: Build Message
id: build-message
shell: python
continue-on-error: true
run: |-
import datetime
import os
expiry_date = datetime.datetime.fromisoformat("${{ vars.ARM_CLIENT_SECRET_EXPIRY }}")
now = datetime.date.today()
time_left = expiry_date.date() - now
days_left = time_left.days
print(f"ARM_CLIENT_SECRET has {days_left} days left")
# Set some output to trigger the Slack step
gho = open(os.environ.get('GITHUB_OUTPUT'), 'a')
gho.writelines([f'days_left={days_left}\n'])
if days_left <= int("${{ vars.ARM_CLIENT_SECRET_MIN_DAYS_REMAINING }}"):
gho.writelines(['do_notify=true\n'])
else:
gho.writelines(['do_notify=false\n'])
gho.close()
- name: Notify Slack on Build Message Error
id: notify-build-message-error
if: ${{ steps.build-message.outcome == 'failure' }}
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
channel-id: ${{ vars.SLACK_NOTIFICATION_CHANNELS_FAIL_ONLY }}
payload: |-
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": ":exclamation: Workflow <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }} #${{ github.run_number }}> *FAILED*"
}
}
]
}
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
- name: Notify Slack
id: notify-slack
if: ${{ steps.build-message.outputs.do_notify == 'true' }}
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
channel-id: ${{ vars.SLACK_NOTIFICATION_CHANNELS_FAIL_ONLY }}
payload: |-
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": ":exclamation: Workflow <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }} #${{ github.run_number }}> *ALERT*"
}
},
{
"type": "divider"
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "The secret ARM_CLIENT_SECRET has ${{ steps.build-message.outputs.days_left }} days left, less than ${{ vars.ARM_CLIENT_SECRET_MIN_DAYS_REMAINING }}. See IL-574 for information on how to renew it"
}
}
]
}
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}