fix(ci): grant commitlint workflow pull-requests:read permission #12
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret Scan | |
| # Mirrors the BfxLendingBot / BfxPingPongBot pattern: | |
| # Gitleaks PR-gating runs on every PR + every push to default branch | |
| # to catch hardcoded secrets before merge. Uses repo-local gitleaks.toml | |
| # for allowlist (extends gitleaks default rules with paths/regexes for | |
| # this repo's known false positives). | |
| # | |
| # Phase 0.B1-fleet rollout (Restart-2026-04 master plan). | |
| # Hardened 2026-04-27 per Copilot review (#9/#3/#10): | |
| # - Pin gitleaks version + verify SHA256 (no latest-release scraping). | |
| # - Scan full PR commit range, not just last commit (--log-opts -1). | |
| # - Allowlist anchored regexes only (see gitleaks.toml). | |
| on: | |
| push: | |
| branches: [master, main] | |
| pull_request: | |
| branches: [master, main] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: secret-scan-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| gitleaks: | |
| name: Secret Scan | |
| runs-on: [self-hosted, Linux, Build] | |
| timeout-minutes: 5 | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| # Full history needed so --log-opts can resolve the PR base..head range. | |
| fetch-depth: 0 | |
| - name: Gitleaks — secret scanning | |
| env: | |
| GITLEAKS_VERSION: "8.30.1" | |
| GITLEAKS_SHA256: "551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb" | |
| run: | | |
| mkdir -p "$HOME/.local/bin" | |
| curl -sSfL -o /tmp/gitleaks.tar.gz \ | |
| "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | |
| echo "${GITLEAKS_SHA256} /tmp/gitleaks.tar.gz" | sha256sum -c - | |
| tar xzf /tmp/gitleaks.tar.gz -C "$HOME/.local/bin" gitleaks | |
| # Scan the full PR commit range on pull_request (catches secrets introduced | |
| # earlier in the branch); fall back to the last push delta on direct pushes. | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| LOG_OPTS="--log-opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}" | |
| else | |
| LOG_OPTS="--log-opts=HEAD~1..HEAD" | |
| fi | |
| "$HOME/.local/bin/gitleaks" detect --source . --config gitleaks.toml "$LOG_OPTS" --verbose --redact --no-banner |