check-stale-keys.yml

name: Check stale keys
on:
  schedule:
    # 11 pm UTC -> 10/11 am NZ, Tuesdays
    - cron: '0 23 * * 2'

jobs:
  check-for-stale-keys:
    runs-on: ubuntu-latest
    outputs:
      ssh_stale: ${{ steps.stale_files.outputs.ssh_stale }}
      old_keys: ${{ steps.stale_files.outputs.old_keys }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: check stale files
        id: stale_files
        run: |
          set -x
          cd ssh
          git ls-tree -r --name-only HEAD | while read filename; do
           [[ "$(git log -1 --format="%at" -- $filename)" < "$(date  --date='2 years ago' +%s)"  ]] && echo "$(git log -1 --format="%ad" --date=format:'%Y-%m-%dT%H:%M:%S%z' -- $filename) $filename"
          done >> old_keys.txt || /bin/true
          # Using grep to skip keys where a yubi key is used so rotation not required.
          OLD_KEYS=$(\
            cat old_keys.txt |\
            grep -v eugene_authorized_keys |\
            tr '\n' ';'\
          )

          echo "::set-output name=old_keys::$OLD_KEYS"
          if [ -s old_keys.txt ]; then
            # The file is not-empty.
            # Notify via slack?
            echo "::set-output name=ssh_stale::true"

          else
            # The file is empty.
            echo "::set-output name=ssh_stale::false"
          fi

  notify-for-stale-keys:
    runs-on: ubuntu-latest
    needs: check-for-stale-keys
    if: needs.check-for-stale-keys.outputs.ssh_stale == 'true'
    steps:
      - name: Post to a Slack channel
        id: slack
        uses: slackapi/slack-github-action@v1.18.0
        with:
          payload: |
            {
              "slack-message": "Stale ssh keys:\n ${{ needs.check-for-stale-keys.outputs.old_keys }}"
            }
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}