feat: add GitHub Actions workflow to check pinned CA certificate validity

[AlexKaravaev]

Motivation

• Ensure pinned CA certificates in security-utils/certs are valid and rotated before they expire.
• Provide an automated notification to maintainers when certificates will expire within 60 days.

Description

• Add a scheduled and workflow_dispatch GitHub Actions workflow security-utils-cert-validity.yaml that runs daily at 03:00 and checks all security-utils/certs/*.pem.
• Use openssl to validate certificate format, fail on already expired certs, and flag certs expiring within 60 days using threshold_seconds and openssl -checkend, and expose expiring_certs via GITHUB_OUTPUT.
• On failure, use actions/github-script@v7 to create or update a GitHub issue (label security) listing affected certificates.

Testing

• No automated tests were run for this change.

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fc79b7bf5a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Notify on all certificate check failures

The notification step only runs when steps.cert_check.outputs.expiring_certs is non-empty, but the check step exits immediately for invalid or already expired certificates before writing that output. In those cases the workflow fails silently (no issue is created/updated), which defeats the automation for the most urgent certificate problems and leaves maintainers reliant on manually noticing failed runs.

Useful? React with 👍 / 👎.