From b29c2c2f8ccaec6be115741a2e73688c02077d63 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mathieu=20M=C3=A9a?= <mathieu.mea@gmail.com>
Date: Wed, 25 Feb 2026 15:29:54 -0500
Subject: [PATCH 1/5] CI > update SSL cert frequently

---
 .github/workflows/mt-update-ssl-cert.yml | 48 ++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 .github/workflows/mt-update-ssl-cert.yml

diff --git a/.github/workflows/mt-update-ssl-cert.yml b/.github/workflows/mt-update-ssl-cert.yml
new file mode 100644
index 00000000..b7d94b9e
--- /dev/null
+++ b/.github/workflows/mt-update-ssl-cert.yml
@@ -0,0 +1,48 @@
+name: MT update SSL cert
+on:
+  workflow_dispatch: # manual
+  schedule:
+    - cron: '0 10 * * 2' # Tuesdays @ 10am UTC # WEEKLY https://crontab.guru/#0_10_*_*_2
+# gh workflow run mt-update-ssl-cert.yml --ref <branch>
+# gh run list --workflow=mt-update-ssl-cert.yml
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+env:
+  # git commit & push
+  MT_ORG_GIT_COMMIT_ON: ${{ secrets.MT_ORG_GIT_COMMIT_ON }}
+  MT_ORG_GIT_COMMIT_OFF: ${{ secrets.MT_ORG_GIT_COMMIT_OFF }}
+  MT_GIT_COMMIT_ON: ${{ secrets.MT_GIT_COMMIT_ON }}
+  MT_GIT_COMMIT_OFF: ${{ secrets.MT_GIT_COMMIT_OFF }}
+jobs:
+  MT-UPDATE-SSL-CERT-JOB:
+    name: "MT Update SSL cert"
+    runs-on: ubuntu-latest
+    steps:
+      - name: T checkout repo
+        uses: actions/checkout@v6
+
+      - name: MT files paths
+        run: |
+          echo "MOZILLA_ROOTS_URL=https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMCSV?TrustBitsInclude=Websites" >> "$GITHUB_ENV"
+          echo "MOZILLA_ROOTS_PEM_FILE=src/main/res-cert/raw/mozilla_roots_pem" >> "$GITHUB_ENV"
+
+      - name: MT fetch latest SSL cert
+        run: |
+          curl -o "$MOZILLA_ROOTS_URL" > "$MOZILLA_ROOTS_PEM_FILE"
+
+      - name: MT create pull request
+        id: create-pull-request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.MT_PAT }} # use our token to trigger workflow events
+          committer: ${{ secrets.MT_BOT_USER_NAME }} <${{ secrets.MT_BOT_USER_EMAIL }}>
+          author: ${{ secrets.MT_BOT_USER_NAME }} <${{ secrets.MT_BOT_USER_EMAIL }}>
+          commit-message: Update SSL cert
+          title: Update SSL cert
+          body: |
+            Update SSL cert
+          branch: update_ssl_cert_${{ env.MT_BASE_BRANCH }}
+          base: ${{ env.MT_BASE_BRANCH }}
+          add-paths: |
+            src/main/res-cert/raw/mozilla_roots_pem
\ No newline at end of file

From c0bdd594d5f5064b14e2cb381ae0313627fc6db5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mathieu=20M=C3=A9a?= <mathieu.mea@gmail.com>
Date: Wed, 25 Feb 2026 15:34:48 -0500
Subject: [PATCH 2/5] wip

---
 .github/workflows/mt-update-ssl-cert.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/mt-update-ssl-cert.yml b/.github/workflows/mt-update-ssl-cert.yml
index b7d94b9e..d6a2f95f 100644
--- a/.github/workflows/mt-update-ssl-cert.yml
+++ b/.github/workflows/mt-update-ssl-cert.yml
@@ -1,9 +1,10 @@
 name: MT update SSL cert
 on:
   workflow_dispatch: # manual
+  pull_request: #DEBUG
   schedule:
     - cron: '0 10 * * 2' # Tuesdays @ 10am UTC # WEEKLY https://crontab.guru/#0_10_*_*_2
-# gh workflow run mt-update-ssl-cert.yml --ref <branch>
+# gh workflow run mt-update-ssl-cert.yml --ref $(git rev-parse --abbrev-ref HEAD)
 # gh run list --workflow=mt-update-ssl-cert.yml
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -29,7 +30,11 @@ jobs:
 
       - name: MT fetch latest SSL cert
         run: |
-          curl -o "$MOZILLA_ROOTS_URL" > "$MOZILLA_ROOTS_PEM_FILE"
+          curl \
+            --verbose \
+            --location \
+            --output "$MOZILLA_ROOTS_PEM_FILE" \
+            "$MOZILLA_ROOTS_URL";
 
       - name: MT create pull request
         id: create-pull-request
@@ -45,4 +50,4 @@ jobs:
           branch: update_ssl_cert_${{ env.MT_BASE_BRANCH }}
           base: ${{ env.MT_BASE_BRANCH }}
           add-paths: |
-            src/main/res-cert/raw/mozilla_roots_pem
\ No newline at end of file
+            src/main/res-cert/raw/mozilla_roots_pem

From 9b520b70953d38795a77d919a05b9e06ada09695 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mathieu=20M=C3=A9a?= <mathieu.mea@gmail.com>
Date: Wed, 25 Feb 2026 15:35:42 -0500
Subject: [PATCH 3/5] PR comments

---
 .github/workflows/mt-update-ssl-cert.yml | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/mt-update-ssl-cert.yml b/.github/workflows/mt-update-ssl-cert.yml
index d6a2f95f..1f523f4c 100644
--- a/.github/workflows/mt-update-ssl-cert.yml
+++ b/.github/workflows/mt-update-ssl-cert.yml
@@ -10,17 +10,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 env:
-  # git commit & push
-  MT_ORG_GIT_COMMIT_ON: ${{ secrets.MT_ORG_GIT_COMMIT_ON }}
-  MT_ORG_GIT_COMMIT_OFF: ${{ secrets.MT_ORG_GIT_COMMIT_OFF }}
-  MT_GIT_COMMIT_ON: ${{ secrets.MT_GIT_COMMIT_ON }}
-  MT_GIT_COMMIT_OFF: ${{ secrets.MT_GIT_COMMIT_OFF }}
+  MT_BOT_USER_NAME: ${{ secrets.MT_BOT_USER_NAME }}
+  MT_BOT_USER_EMAIL: ${{ secrets.MT_BOT_USER_EMAIL }}
+  MT_BASE_BRANCH: ${{ github.event_name == 'pull_request' && github.head_ref || github.ref_name }}
 jobs:
   MT-UPDATE-SSL-CERT-JOB:
     name: "MT Update SSL cert"
     runs-on: ubuntu-latest
     steps:
-      - name: T checkout repo
+      - name: MT checkout repo
         uses: actions/checkout@v6
 
       - name: MT files paths

From 531b23c460aac36a9a54d717be251309f8d3cada Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mathieu=20M=C3=A9a?= <mathieu.mea@gmail.com>
Date: Wed, 25 Feb 2026 15:46:41 -0500
Subject: [PATCH 4/5] fix URL

---
 .github/workflows/mt-update-ssl-cert.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/mt-update-ssl-cert.yml b/.github/workflows/mt-update-ssl-cert.yml
index 1f523f4c..88fa1560 100644
--- a/.github/workflows/mt-update-ssl-cert.yml
+++ b/.github/workflows/mt-update-ssl-cert.yml
@@ -23,7 +23,7 @@ jobs:
 
       - name: MT files paths
         run: |
-          echo "MOZILLA_ROOTS_URL=https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMCSV?TrustBitsInclude=Websites" >> "$GITHUB_ENV"
+          echo "MOZILLA_ROOTS_URL=https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites" >> "$GITHUB_ENV"
           echo "MOZILLA_ROOTS_PEM_FILE=src/main/res-cert/raw/mozilla_roots_pem" >> "$GITHUB_ENV"
 
       - name: MT fetch latest SSL cert

From a02c24fbde8aa8aa93f8fbd1b640c94650e7696b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mathieu=20M=C3=A9a?= <mathieu.mea@gmail.com>
Date: Wed, 25 Feb 2026 15:49:53 -0500
Subject: [PATCH 5/5] Apply suggestion from @Copilot

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/mt-update-ssl-cert.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/mt-update-ssl-cert.yml b/.github/workflows/mt-update-ssl-cert.yml
index 88fa1560..6830d5b1 100644
--- a/.github/workflows/mt-update-ssl-cert.yml
+++ b/.github/workflows/mt-update-ssl-cert.yml
@@ -1,7 +1,6 @@
 name: MT update SSL cert
 on:
   workflow_dispatch: # manual
-  pull_request: #DEBUG
   schedule:
     - cron: '0 10 * * 2' # Tuesdays @ 10am UTC # WEEKLY https://crontab.guru/#0_10_*_*_2
 # gh workflow run mt-update-ssl-cert.yml --ref $(git rev-parse --abbrev-ref HEAD)