Cleanup V2 transition + testing + release #552
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret Scanning | |
| # ============================================================================= | |
| # Gitleaks Secret Scanning Workflow | |
| # | |
| # Scans for leaked secrets, API keys, tokens, and internal URLs. | |
| # Uses the project-level .gitleaks.toml for RunAnywhere-specific patterns. | |
| # | |
| # Strategy: | |
| # - Pull requests: scan ONLY the PR's commits (base.sha..HEAD). Catches | |
| # new secrets without tripping on historical findings. | |
| # - Push to main: scan only the pushed commits (before..HEAD). Redundant | |
| # with PR scan but catches direct pushes / merge commits. | |
| # | |
| # No baseline file is used. A baseline would leak metadata about known | |
| # secrets (file paths, commit SHAs, authors) into the committed repo — | |
| # pointing attackers at exactly where and when each secret was introduced. | |
| # Incremental diff-only scans achieve the same "ignore historical noise" | |
| # goal without that disclosure. | |
| # | |
| # Uses gitleaks CLI directly (MIT-licensed, free) instead of | |
| # gitleaks-action@v2 which requires a paid license for organizations. | |
| # ============================================================================= | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| permissions: | |
| contents: read | |
| jobs: | |
| secret-scan: | |
| name: Gitleaks Secret Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Gitleaks CLI | |
| run: | | |
| GITLEAKS_VERSION=8.30.0 | |
| curl -sL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar xz gitleaks | |
| sudo mv gitleaks /usr/local/bin/ | |
| gitleaks version | |
| - name: Run Gitleaks (incremental) | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| PR_BASE: ${{ github.event.pull_request.base.sha }} | |
| PUSH_BEFORE: ${{ github.event.before }} | |
| run: | | |
| set -euo pipefail | |
| CONFIG_ARG="" | |
| [ -f .gitleaks.toml ] && CONFIG_ARG="--config .gitleaks.toml" | |
| # Pick a commit range based on the trigger event. | |
| if [ "$EVENT_NAME" = "pull_request" ]; then | |
| RANGE="${PR_BASE}..HEAD" | |
| echo "PR mode — scanning range: $RANGE" | |
| else | |
| # push to main. If PUSH_BEFORE is missing or zero (new branch, | |
| # never-seen-before), fall back to just the top commit. | |
| if [ -n "${PUSH_BEFORE:-}" ] && [ "$PUSH_BEFORE" != "0000000000000000000000000000000000000000" ]; then | |
| RANGE="${PUSH_BEFORE}..HEAD" | |
| else | |
| RANGE="HEAD~1..HEAD" | |
| fi | |
| echo "Push mode — scanning range: $RANGE" | |
| fi | |
| gitleaks detect --source . $CONFIG_ARG --redact --verbose \ | |
| --log-opts="$RANGE" |