-
Notifications
You must be signed in to change notification settings - Fork 356
39 lines (37 loc) · 1.22 KB
/
lint-secrets.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
---
name: "Lint secrets"
on: # yamllint disable-line rule:truthy
push:
branches:
- 'main'
- 'releases/**'
pull_request: {}
jobs:
lint-secrets:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
# TODO(danh): this install+configure git-secrets is a good candidate for a
# custom action repo -- closest to our needs I found is:
# https://github.com/kams-mash/gh-secrets-scanner-action
- name: Set tempdir because github actions are dumb
run: echo "SECRETS_REPO=$(mktemp -dp "$PWD")" >> "$GITHUB_ENV"
- uses: actions/checkout@v4
with:
repository: awslabs/git-secrets
path: ${{ env.SECRETS_REPO }}
fetch-depth: 1
- name: Compile and install git-secrets
run: |
sudo make -C "$SECRETS_REPO" install
# needed to avoid having the secret scan include the git-secrets repo
rm -rf "$SECRETS_REPO"
- name: Configure git-secrets
run: |
git secrets --install
git secrets --register-aws
git secrets --add '"private_key":\s"-----BEGIN\sPRIVATE\sKEY-----'
- name: Run scan
run: git secrets --scan-history