Refresh certificates

[djc]

I think we should backport this to a 0.25.3 release?

[cpu]

I'm confused; why hasn't the CI task failed from an uncommitted diff based on upstream changes? 🤔

[djc]

Not sure -- maybe they happened today? Or the workflow got disabled because there was no activity for 60 days?

[cpu]

Not sure -- maybe they happened today? Or the workflow got disabled because there was no activity for 60 days?

It looks like a scheduled run ran yesterday without error, so maybe it was just a recent change. I've been making a point to check this repo's action history to make sure it hasn't been silently failing. I'll see if I can figure something out conclusively.

I think we should backport this to a 0.25.3 release?

SGTM. I can do that.

[djc]

SGTM. I can do that.

Thanks!

[cpu]

It looks like a scheduled run ran yesterday without error, so maybe it was just a recent change.

I found the relevant tickets in the Mozilla bug tracker and linked to them in the rel-0.25 backport release notes: #53

I can't find a source of historical data for the CCADB CSV reports but given the timestamps of the bugs being closed and action being taken to update NSS within the last ~7 days I think the CCADB update likely happened ~today/yesterday and we missed it with yesterday's scheduled run. When I ran the tooling locally before this branch landed it picked up the changes and failed the test as expected.

[cpu]

Further evidence things are working correctly: Firefox 121 is the first version with these updates and it was released 2023-11-21 so that would also coincide with ~yesterday being the date https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportPEMCSV was updated.

Edit: Last confirmation: my fork wasn't sync'd and today's scheduled task failed.