feat: automated cert/CRL deployment to orphan dist branch with 21-day cadence

[Copilot]

Clients referencing this repo as a Git submodule should only see certificate artifacts — not workflows, scripts, or source PEM files. This adds an automated pipeline that publishes only the OpenSSL hash-named files to a clean dist branch on push to main and on a 21-day cadence.

Changes

Repository reorganization

• Moved 8a5a09f0.0 → certs/intermediate_ca.pem and e16db44c.0 → certs/root_ca.pem
• certs/ holds source PEM files; hash-named outputs are generated at deploy time and gitignored

.github/workflows/deploy.yml

Pipeline behavior:

1. Triggers on push to main and on a daily schedule
2. Applies a cadence gate so scheduled publishing runs every 21 days (CRL_INTERVAL_DAYS=21)
3. Clones cfms-dev/certtools and installs its cryptography dependency
4. Validates every certs/*.pem using the cryptography library — fails fast on malformed input
5. Generates a CRL for the intermediate CA only (root CA explicitly excluded) using INTERMEDIATE_CA_KEY_PEM
6. Runs openssl rehash certs/ to produce <hash>.[0-9] (certs) and <hash>.r[0-9] (CRLs) symlinks
7. Copies artifacts (symlinks resolved to real content) into a staging directory
8. Force-pushes staging as a fresh orphan dist branch — no main history, no source files

# Force-push to dist as an orphan branch (no shared history with main)
git push origin HEAD:dist --force

Clients should pin their submodule to the dist branch.

.gitignore

Excludes openssl rehash-generated symlinks (certs/[0-9a-f]{8}.[0-9], certs/[0-9a-f]{8}.r[0-9]) from accidental staging on developer machines.

Warning

CRL generation requires the INTERMEDIATE_CA_KEY_PEM repository secret (PEM-encoded private key for certs/intermediate_ca.pem). If this secret is missing, the workflow fails by design.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Creeper19472]

@copilot You should also generate CRL for needed certs (exclude root CA). Then you should run this process regularly, we stipulate that it should be run every 21 days.

[Creeper19472]

@copilot You should also generate CRL for needed certs (exclude root CA). Then you should run this process regularly, we stipulate that it should be run every 21 days.

[Copilot]

@copilot You should also generate CRL for needed certs (exclude root CA). Then you should run this process regularly, we stipulate that it should be run every 21 days.

Implemented in commit f0d2c58: the workflow now generates a CRL for the intermediate CA only (root CA explicitly excluded) and runs on a regular 21-day cadence via a scheduled trigger plus cadence gate.

@copilot You should also generate CRL for needed certs (exclude root CA). Then you should run this process regularly, we stipulate that it should be run every 21 days.

Implemented in commit f0d2c58: the workflow now generates a CRL for the intermediate CA only (root CA explicitly excluded) and runs on a regular 21-day cadence via a scheduled trigger plus cadence gate.