openvpn-install/.github/workflows/update-easyrsa-hash.yml

name: Update Easy-RSA SHA256

# Note: This workflow commits and pushes changes to openvpn-install.sh.
# Uses PAT to trigger CI on the resulting commit. Infinite recursion is prevented
# by the 'renovate/' branch prefix check - CI commits don't re-trigger this workflow.
# Requires: Create a PAT with 'contents: write' scope and add as repository secret 'PAT'

on:
  pull_request:
    types: [opened, synchronize]
    paths:
      - "openvpn-install.sh"

permissions:
  contents: read

jobs:
  update-hash:
    if: startsWith(github.head_ref, 'renovate/')
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{ github.head_ref }}
          token: ${{ secrets.PAT }}
          persist-credentials: false

      - name: Extract version and update SHA256
        run: |
          VERSION=$(grep -oP 'EASYRSA_VERSION="\K[^"]+' openvpn-install.sh)
          if [ -z "$VERSION" ]; then
            echo "Error: Failed to extract EASYRSA_VERSION"
            exit 1
          fi
          echo "Easy-RSA version: $VERSION"

          CURRENT_SHA=$(grep -oP 'EASYRSA_SHA256="\K[^"]+' openvpn-install.sh)
          if [ -z "$CURRENT_SHA" ]; then
            echo "Error: Failed to extract EASYRSA_SHA256"
            exit 1
          fi
          echo "Current SHA256: $CURRENT_SHA"

          TARBALL_URL="https://github.com/OpenVPN/easy-rsa/releases/download/v${VERSION}/EasyRSA-${VERSION}.tgz"
          if ! curl -fsSL "$TARBALL_URL" -o /tmp/easyrsa.tgz; then
            echo "Error: Failed to download Easy-RSA tarball from $TARBALL_URL"
            exit 1
          fi
          NEW_SHA=$(sha256sum /tmp/easyrsa.tgz | cut -d' ' -f1)
          echo "New SHA256: $NEW_SHA"

          if [ "$CURRENT_SHA" != "$NEW_SHA" ]; then
            sed -i "s|EASYRSA_SHA256=\"$CURRENT_SHA\"|EASYRSA_SHA256=\"$NEW_SHA\"|" openvpn-install.sh
            echo "SHA256 updated"
            echo "HASH_CHANGED=true" >> "$GITHUB_ENV"
          else
            echo "SHA256 already correct"
          fi

      - name: Commit changes
        if: env.HASH_CHANGED == 'true'
        env:
          PAT: ${{ secrets.PAT }}
        run: |
          if ! git diff --quiet openvpn-install.sh; then
            git config user.name "github-actions[bot]"
            git config user.email "github-actions[bot]@users.noreply.github.com"
            git remote set-url origin "https://x-access-token:${PAT}@github.com/${{ github.repository }}"
            git add openvpn-install.sh
            git commit -m "chore: update Easy-RSA SHA256 hash"
            git push
          else
            echo "No changes to commit"
          fi