GH Actions: split "update-cacert" workflow

jrfnl · jrfnl · commit fc321d4569ca · 2025-11-14T18:41:24.000+01:00
GitHub has the annoying habit of disabling workflows with a cron job after two months if the repo doesn't see any activity.

As this repo has been semi-dormant over the past year, this may become more regularly the case for this repo and this creates the following problem:
* If the same workflow is used for both the cron job as well as the push/pull_request CI checks...
* ... and a repo doesn't have any activity in two months time...
* ... the workflow gets disabled...
* ... which then also means that CI checks will no longer be run for new PRs....
* ... which means new PRs can't be merged as (in most cases) the repo has branch protection in place and requires that the CI checks pass before a PR can be merged.

This commit basically changes the original workflow to a reusable workflow and then creates two new workflows, with different `on` targets, which each trigger the reusable workflow.
* One workflow will be triggered via `cron`.
* One workflow will have all the other triggers (`push`/`pull_request`/`workflow_dispatch`).

This way, if the cron job workflow gets disabled, the workflow which is used for the other triggers will continue to function.

The downside of this, is that it may go unnoticed that the cron job has stopped running, but so be it.
diff --git a/.github/workflows/reusable-update-cacert.yml b/.github/workflows/reusable-update-cacert.yml
@@ -0,0 +1,83 @@
+name: Certificates
+
+on:
+  workflow_call:
+
+jobs:
+  certificate-check:
+    name: "Check for updated certificate bundle"
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Determine branches to use
+        id: branches
+        env:
+          HEAD_REF: ${{ github.head_ref }}
+          PR_NUM: ${{ github.event.pull_request.number }}
+        run: |
+          if [[ "${{ github.event_name }}" == 'schedule' ]]; then
+            echo "BASE=develop" >> "$GITHUB_OUTPUT"
+            echo "PR_BRANCH=feature/auto-update-cacert" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ github.event_name }}" == 'push' ]]; then
+            # Pull requests should always go to develop, even when triggered via a push to stable.
+            echo "BASE=develop" >> "$GITHUB_OUTPUT"
+            echo "PR_BRANCH=feature/auto-update-cacert" >> "$GITHUB_OUTPUT"
+          elif [[ $PR_NUM != '' ]]; then # = PR or manual (re-)run for a workflow triggered by a PR.
+            echo "BASE=$HEAD_REF" >> "$GITHUB_OUTPUT"
+            echo "PR_BRANCH=feature/auto-update-cacert-$PR_NUM" >> "$GITHUB_OUTPUT"
+          else # = manual run.
+            echo "BASE=$HEAD_REF" >> "$GITHUB_OUTPUT"
+            echo "PR_BRANCH=feature/auto-update-cacert-misc" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Restore etags cache for certificate files
+        uses: actions/cache@v4
+        with:
+          path: certificates/etag-*.txt
+          key: curl-etag-${{ hashFiles('certificates/cacert.pem') }}-${{ hashFiles('certificates/cacert.pem.sha256') }}
+          restore-keys: |
+            curl-etag-
+
+      - name: Get current certificate bundle if changed
+        working-directory: ./certificates
+        run: curl --etag-compare etag-cert.txt --etag-save etag-cert.txt --remote-name https://curl.se/ca/cacert.pem
+
+      - name: Get current SHA256 checksum file for the bundle if changed
+        working-directory: ./certificates
+        run: curl --etag-compare etag-sha.txt --etag-save etag-sha.txt --remote-name https://curl.se/ca/cacert.pem.sha256
+
+      - name: Verify the checksum of the downloaded bundle
+        working-directory: ./certificates
+        run: sha256sum --check cacert.pem.sha256
+
+      - name: "Debug info: Show git status"
+        run: git status -vv --untracked=all
+
+      # http://man7.org/linux/man-pages/man1/date.1.html
+      - name: "Get date"
+        id: get-date
+        run: echo "DATE=$(/bin/date -u "+%F")" >> "$GITHUB_OUTPUT"
+
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          base: ${{ steps.branches.outputs.BASE }}
+          branch: ${{ steps.branches.outputs.PR_BRANCH }}
+          delete-branch: true
+          sign-commits: true
+          commit-message: ":lock_with_ink_pen: Update certificate bundle"
+          title: ":lock_with_ink_pen: Update certificate bundle"
+          body: |
+            Updated certificate bundle, last verified on ${{ steps.get-date.outputs.DATE }}.
+
+            Source: https://curl.se/docs/caextract.html
+
+            This PR is auto-generated by [create-pull-request](https://github.com/peter-evans/create-pull-request) using the `.github/workflows/update-cacert.yml` workflow.
+          labels: |
+            Type: enhancement
+          reviewers: |
+            jrfnl
+            schlessera
diff --git a/.github/workflows/update-cacert-cron.yml b/.github/workflows/update-cacert-cron.yml
@@ -0,0 +1,19 @@
+name: Certificates Cronjob
+
+on:
+  # Run every day at 4:20.
+  schedule:
+    - cron: '20 4 * * *'
+
+# Cancels all previous workflow runs for the same branch that have not yet completed.
+concurrency:
+  # The concurrency group contains the workflow name and the branch name.
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  certificate-check:
+    # Don't run the cron job on forks.
+    if: ${{ github.event.repository.fork == false }}
+
+    uses: ./.github/workflows/reusable-update-cacert.yml
diff --git a/.github/workflows/update-cacert.yml b/.github/workflows/update-cacert.yml
@@ -1,9 +1,6 @@
 name: Certificates
 
 on:
-  # Run every day at 4:20.
-  schedule:
-    - cron: '20 4 * * *'
   # Run on every push to `stable` and `develop`.
   # Not using path selection here as it appears only the files in the last commit from the push are looked at.
   push:
@@ -14,6 +11,8 @@ on:
   pull_request:
     paths:
       - '.github/workflows/update-cacert.yml'
+      - '.github/workflows/update-cacert-cron.yml'
+      - '.github/workflows/reusable-update-cacert.yml'
       - 'certificates/cacert.pem'
       - 'certificates/cacert.pem.sha256'
   # Also allow manually triggering the workflow.
@@ -27,81 +26,4 @@ concurrency:
 
 jobs:
   certificate-check:
-    name: "Check for updated certificate bundle"
-    # Don't run the cron job on forks.
-    if: ${{ github.event_name != 'schedule' || github.repository == 'WordPress/Requests' }}
-
-    runs-on: ubuntu-latest
-    steps:
-      - name: Determine branches to use
-        id: branches
-        env:
-          HEAD_REF: ${{ github.head_ref }}
-          PR_NUM: ${{ github.event.pull_request.number }}
-        run: |
-          if [[ "${{ github.event_name }}" == 'schedule' ]]; then
-            echo "BASE=develop" >> "$GITHUB_OUTPUT"
-            echo "PR_BRANCH=feature/auto-update-cacert" >> "$GITHUB_OUTPUT"
-          elif [[ "${{ github.event_name }}" == 'push' ]]; then
-            # Pull requests should always go to develop, even when triggered via a push to stable.
-            echo "BASE=develop" >> "$GITHUB_OUTPUT"
-            echo "PR_BRANCH=feature/auto-update-cacert" >> "$GITHUB_OUTPUT"
-          elif [[ $PR_NUM != '' ]]; then # = PR or manual (re-)run for a workflow triggered by a PR.
-            echo "BASE=$HEAD_REF" >> "$GITHUB_OUTPUT"
-            echo "PR_BRANCH=feature/auto-update-cacert-$PR_NUM" >> "$GITHUB_OUTPUT"
-          else # = manual run.
-            echo "BASE=$HEAD_REF" >> "$GITHUB_OUTPUT"
-            echo "PR_BRANCH=feature/auto-update-cacert-misc" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Checkout code
-        uses: actions/checkout@v5
-
-      - name: Restore etags cache for certificate files
-        uses: actions/cache@v4
-        with:
-          path: certificates/etag-*.txt
-          key: curl-etag-${{ hashFiles('certificates/cacert.pem') }}-${{ hashFiles('certificates/cacert.pem.sha256') }}
-          restore-keys: |
-            curl-etag-
-
-      - name: Get current certificate bundle if changed
-        working-directory: ./certificates
-        run: curl --etag-compare etag-cert.txt --etag-save etag-cert.txt --remote-name https://curl.se/ca/cacert.pem
-
-      - name: Get current SHA256 checksum file for the bundle if changed
-        working-directory: ./certificates
-        run: curl --etag-compare etag-sha.txt --etag-save etag-sha.txt --remote-name https://curl.se/ca/cacert.pem.sha256
-
-      - name: Verify the checksum of the downloaded bundle
-        working-directory: ./certificates
-        run: sha256sum --check cacert.pem.sha256
-
-      - name: "Debug info: Show git status"
-        run: git status -vv --untracked=all
-
-      # http://man7.org/linux/man-pages/man1/date.1.html
-      - name: "Get date"
-        id: get-date
-        run: echo "DATE=$(/bin/date -u "+%F")" >> "$GITHUB_OUTPUT"
-
-      - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          base: ${{ steps.branches.outputs.BASE }}
-          branch: ${{ steps.branches.outputs.PR_BRANCH }}
-          delete-branch: true
-          sign-commits: true
-          commit-message: ":lock_with_ink_pen: Update certificate bundle"
-          title: ":lock_with_ink_pen: Update certificate bundle"
-          body: |
-            Updated certificate bundle, last verified on ${{ steps.get-date.outputs.DATE }}.
-
-            Source: https://curl.se/docs/caextract.html
-
-            This PR is auto-generated by [create-pull-request](https://github.com/peter-evans/create-pull-request) using the `.github/workflows/update-cacert.yml` workflow.
-          labels: |
-            Type: enhancement
-          reviewers: |
-            jrfnl
-            schlessera
+    uses: ./.github/workflows/reusable-update-cacert.yml
