Refresh UEFI Secure Boot revocation list #322
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Refresh UEFI Secure Boot revocation list | |
| on: | |
| schedule: | |
| # At 23:35 on every day-of-week from Sunday through Saturday | |
| # https://crontab.guru/#35_23_*_*_0-6 | |
| - cron: '35 23 * * 0-6' | |
| workflow_dispatch: | |
| jobs: | |
| check: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| path: edk2 | |
| - name: Checkout microsoft/secureboot_objects | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: microsoft/secureboot_objects | |
| path: secureboot_objects | |
| - name: Check if DBX is out-of-date | |
| run: | | |
| old=$(sha256sum edk2/DasharoPayloadPkg/SecureBootDefaultKeys/DBXUpdate.bin | awk '{ print $1 }') | |
| new=$(sha256sum secureboot_objects/PostSignedObjects/DBX/amd64/DBXUpdate.bin | awk '{ print $1 }') | |
| if [ "$old" = "$new" ]; then | |
| echo 'UEFI DBX is up-to-date.' | |
| else | |
| echo 'UEFI DBX is out of date.' | |
| exit 1 | |
| fi | |
| update: | |
| runs-on: ubuntu-latest | |
| needs: check | |
| if: | | |
| always() && needs.check.result == 'failure' | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| path: edk2 | |
| - name: Checkout microsoft/secureboot_objects | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: microsoft/secureboot_objects | |
| path: secureboot_objects | |
| - name: Update DBX blob | |
| run: | | |
| cp secureboot_objects/PostSignedObjects/DBX/amd64/DBXUpdate.bin edk2/DasharoPayloadPkg/SecureBootDefaultKeys/DBXUpdate.bin | |
| - name: Set current date | |
| run: | | |
| pushd secureboot_objects | |
| echo "RELEASE_DATE=$(git log -1 --pretty='format:%cs' PostSignedObjects/DBX/amd64/DBXUpdate.bin)" >> ${GITHUB_ENV} | |
| popd | |
| - name: Submit pull request | |
| uses: peter-evans/[email protected] | |
| with: | |
| path: edk2 | |
| base: dasharo | |
| branch: update_dbx_${{ env.RELEASE_DATE }} | |
| title: Update DBX ${{ env.RELEASE_DATE }} | |
| commit-message: "[automated change] Update DBX ${{ env.RELEASE_DATE }}" | |