update baseline

.ds.baseline

@@ -133,7 +133,7 @@
         "filename": ".github/workflows/checks.yml",
         "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
         "is_verified": false,
-        "line_number": 27,
+        "line_number": 50,
         "is_secret": false
       },
       {
@@ -141,7 +141,7 @@
         "filename": ".github/workflows/checks.yml",
         "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
         "is_verified": false,
-        "line_number": 44,
+        "line_number": 67,
         "is_secret": false
       }
     ],
@@ -384,5 +384,5 @@
       }
     ]
   },
-  "generated_at": "2024-08-13T22:32:28Z"
+  "generated_at": "2024-08-22T14:22:18Z"
 }

.github/workflows/checks.yml

@@ -16,6 +16,29 @@ env:
   AWS_US_TOLL_FREE_NUMBER: "+18556438890"
 
 jobs:
+  rotate-secret:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Generate new secret value
+        id: generate-secret
+        run: |
+          # Generate a new random secret value
+          NEW_SECRET=$(openssl rand -base64 32)
+          echo "new-secret=$NEW_SECRET" >> $GITHUB_ENV
+      - name: Update GitHub secret
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NEW_SECRET: ${{ env.new-secret }}
+        run: |
+          # Update the secret in the repository
+          curl -X PUT \
+            -H "Authorization: token $GITHUB_TOKEN" \
+            -H "Accept: application/vnd.github.v3+json" \
+            https://api.github.com/repos/${{ github.repository }}/actions/secrets/DANGEROUS_SALT \
+            -d "{\"encrypted_value\":\"$(echo -n $NEW_SECRET | base64)\",\"key_id\":\"$(curl -H 'Authorization: token $GITHUB_TOKEN' https://api.github.com/repos/${{ github.repository }}/actions/secrets/public-key | jq -r '.key_id')\"}"
   build:
     runs-on: ubuntu-latest