Daily credentials verification #374
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Daily credentials verification | |
on: | |
schedule: | |
# Runs 00:00 UTC every day | |
- cron: 0 0 * * * | |
workflow_dispatch: | |
jobs: | |
# Verifies the token used by the bot to publish crates to crates.io | |
verify-crates-io-token: | |
name: Verify Crates.io Token | |
if: github.repository == 'smithy-lang/smithy-rs' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout smithy-rs | |
uses: actions/checkout@v4 | |
- name: Verify Crates.io Token | |
shell: bash | |
env: | |
CARGO_REGISTRY_TOKEN: ${{ secrets.RELEASE_AUTOMATION_BOT_CRATESIO_TOKEN }} | |
run: | | |
echo "Checking cargo auth token..." | |
# "cargo login" only saves a token and does not actually use it, so we use "cargo yank" to verify the token. | |
# This version has already been yanked, so it is safe to execute the command below repeatedly. | |
# This command succeeds if we have a token with permission to yank the crate. | |
cargo yank aws-sigv4 --version 0.55.0 | |
- name: Notify Slack on Failure | |
if: failure() | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
run: | | |
curl -X POST "${SLACK_WEBHOOK_URL}" -H 'Content-type: application/json' \ | |
--data '{"workflow_msg":"⚠️ Invalid crates.io token. Create a new token as soon as possible!"}' | |
# Verifies the token used to perform actions on the repository on behalf of the bot user | |
verify-personal-access-token: | |
name: Verify Personal Access Token | |
if: github.repository == 'smithy-lang/smithy-rs' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout smithy-rs | |
# To test the validity of the personal access token, we only need to perform checkout with the specified token. | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ secrets.RELEASE_AUTOMATION_BOT_PAT }} | |
- name: Notify Slack on Failure | |
if: failure() | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
run: | | |
curl -X POST "${SLACK_WEBHOOK_URL}" -H 'Content-type: application/json' \ | |
--data '{"workflow_msg":"⚠️ Invalid GitHub personal access token. Create a new token as soon as possible!"}' |