app-certificate-requests/.github/workflows/merge_request_app_id.yml at 25dd7885a4a30de278361c6b21d7f4e4d7532b5b · nextcloud/app-certificate-requests · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
name: Validate CSR Common Name
on:
  pull_request:
    paths:
      - '**/*.csr'

jobs:
  validate-csr-cn:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
        with:
          fetch-depth: 2
          sparse-checkout: |
            *.csr
          sparse-checkout-cone-mode: false

      - name: Get changed CSR files
        id: changed_csrs
        run: |
          files=$(git diff --name-only --diff-filter=AMR ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep '\.csr$' | xargs)
          echo "csr_files=$files" >> $GITHUB_OUTPUT

      - name: Validate each CSR
        if: ${{ steps.changed_csrs.outputs.csr_files }}
        run: |
          for csr in ${{ steps.changed_csrs.outputs.csr_files }}; do
            filename=$(echo $csr | awk -F "[/.]" '{ print $2 }')
            subject=$(cat $csr | openssl req -noout -subject)
            echo $subject | awk -v app_id="$filename" -F "[= ]" '{ if ($5==app_id) { exit 0 } else { exit 1 }}'
          done