From c529ba3da0ac45525c7e87a54961ef01853063d7 Mon Sep 17 00:00:00 2001
From: Andy Doan <andy@foundries.io>
Date: Tue, 15 Aug 2023 09:21:59 -0500
Subject: [PATCH] github: Add cron job for refreshing TUF timestamp

This will run every hours. It will call a script:

 https://github.com/foundriesio/fioctl/blob/tuf-metadata/refresh-metadata.sh

That will check if the timestamp is expiring in the next 48 hours. If
so, it will update the timestamp for another 7 days.

Signed-off-by: Andy Doan <andy@foundries.io>
---
 .github/workflows/tuf.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 .github/workflows/tuf.yml

diff --git a/.github/workflows/tuf.yml b/.github/workflows/tuf.yml
new file mode 100644
index 00000000..b400c7a0
--- /dev/null
+++ b/.github/workflows/tuf.yml
@@ -0,0 +1,27 @@
+name: Refresh timestamp metadata
+on:
+  schedule:
+    # every 8 hours
+    - cron: '0 */8 * * *'
+  workflow_dispatch:
+    branches: [ main ]
+
+jobs:
+  resign:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: tuf-metadata
+      - name: Setup signing key
+        env:
+          TIMESTAMP_JSON: ${{ secrets.TUF_TIMESTAMP_JSON }}
+        run: |
+          mkdir keys
+          echo "$TIMESTAMP_JSON" > keys/timestamp.json
+      - name: Sign
+        env:
+          TUF_TIMESTAMP_PASSPHRASE: ${{ secrets.TUF_TIMESTAMP_PASSPHRASE}}
+        run: |
+          ./refresh-metadata.sh