From e1d1c5e26ee291018cd217af3f734066af67e1c2 Mon Sep 17 00:00:00 2001
From: Artur Neumann <artur@jankaritech.com>
Date: Fri, 24 Jan 2025 16:01:43 +0545
Subject: [PATCH 1/2] automatically validate all timestamps

any time a change is proposed or incrporated int the archive (main
branch) this check runs and
1. checks if all certificates of the Time-stamping authorities are as
   expected
2. all new and historic time-stamps are valid
---
 .gitea/workflows/validate.yaml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 .gitea/workflows/validate.yaml

diff --git a/.gitea/workflows/validate.yaml b/.gitea/workflows/validate.yaml
new file mode 100644
index 0000000..1033fc9
--- /dev/null
+++ b/.gitea/workflows/validate.yaml
@@ -0,0 +1,32 @@
+name: Validate Trusted Timestamps Actions Demo
+run-name: ${{ gitea.actor }} is validating the trusted timestamps of all commits 🚀
+on: [push]
+
+variables:
+  EXPECTED_TRUSTANCHORS_HASH: "70a1c7e2fc62a0b62e44063f0e730b20b0f209d15c84b310ad06ce616c352829"
+
+jobs:
+  Validate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    steps:
+      - name: Install extra software
+        run: |
+          apt-get update
+          apt-get install -y xxd
+      - name: Check out repository code
+        uses: actions/checkout@v4
+        with:
+           fetch-depth: 0
+      - name: Setup timestamping authorities
+        run: |
+          git config --local timestamping.tsa0.url https://freetsa.org/tsr
+          bash -c 'yes | ./hooks/trust.sh https://freetsa.org/tsr'
+          git config --local timestamping.tsa1.url https://tsa.cesnet.cz:3162/tsa
+          bash -c 'yes | ./hooks/trust.sh https://tsa.cesnet.cz:3162/tsa'
+      - name: Check hashes of all trustanchors
+        run: |
+          ./hooks/validate_trustanchors_hash.sh .git/hoqoks/trustanchors ${{ EXPECTED_TRUSTANCHORS_HASH }}
+      - name: Validate timestamps of all commits
+        run: |
+          ./hooks/validate.sh --minversion 0