Skip to content

Check stale keys

Check stale keys #107

name: Check stale keys
on:
schedule:
# 11 pm UTC -> 10/11 am NZ, Tuesdays
- cron: '0 23 * * 2'
jobs:
check-for-stale-keys:
runs-on: ubuntu-latest
outputs:
ssh_stale: ${{ steps.stale_files.outputs.ssh_stale }}
old_keys: ${{ steps.stale_files.outputs.old_keys }}
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: check stale files
id: stale_files
run: |
set -x
cd ssh
git ls-tree -r --name-only HEAD | while read filename; do
[[ "$(git log -1 --format="%at" -- $filename)" < "$(date --date='2 years ago' +%s)" ]] && echo "$(git log -1 --format="%ad" --date=format:'%Y-%m-%dT%H:%M:%S%z' -- $filename) $filename"
done >> old_keys.txt || /bin/true
# Using grep to skip keys where a yubi key is used so rotation not required.
OLD_KEYS=$(\
cat old_keys.txt |\
grep -v eugene_authorized_keys |\
tr '\n' ';'\
)
echo "::set-output name=old_keys::$OLD_KEYS"
if [ -s old_keys.txt ]; then
# The file is not-empty.
# Notify via slack?
echo "::set-output name=ssh_stale::true"
else
# The file is empty.
echo "::set-output name=ssh_stale::false"
fi
notify-for-stale-keys:
runs-on: ubuntu-latest
needs: check-for-stale-keys
if: needs.check-for-stale-keys.outputs.ssh_stale == 'true'
steps:
- name: Post to a Slack channel
id: slack
uses: slackapi/[email protected]
with:
payload: |
{
"slack-message": "Stale ssh keys:\n ${{ needs.check-for-stale-keys.outputs.old_keys }}"
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}