feat: production GCP Cloud Run foundation + hardened, optimized front end (keyless IaC, WCAG 2.2 AA, GEO/structured-data, CWV-budgeted CI) #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret Scan | |
| # Layered secret scanning (CI tier): | |
| # - Gitleaks: fast, broad pattern coverage; uploads SARIF to the Security tab. | |
| # - TruffleHog: credential VERIFICATION — fails the build on a LIVE secret. | |
| # Pre-commit (Gitleaks) and GitHub push protection are the other two layers. | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| schedule: | |
| - cron: '0 6 * * 1' # weekly full-history sweep (incremental scans miss old commits) | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write # allow Gitleaks to upload SARIF results | |
| jobs: | |
| gitleaks: | |
| name: Gitleaks (fast + SARIF) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 # full history so the scan sees all commits | |
| - name: Gitleaks | |
| uses: gitleaks/gitleaks-action@v3 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # GITLEAKS_LICENSE is only required for GitHub *Organizations*. | |
| # Public/personal repos (this one) need no license. | |
| trufflehog-pr: | |
| name: TruffleHog (verified, PR diff) | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: TruffleHog — scan PR diff, fail on verified | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| base: ${{ github.event.pull_request.base.sha }} | |
| head: ${{ github.event.pull_request.head.sha }} | |
| # Fail-closed on LIVE credentials. To also gate unverified findings, | |
| # change to: --results=verified,unknown | |
| extra_args: --only-verified | |
| trufflehog-full: | |
| name: TruffleHog (verified, full history) | |
| if: github.event_name != 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install TruffleHog | |
| run: curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin | |
| - name: TruffleHog — scan ALL history, fail on verified | |
| run: trufflehog git file://. --only-verified --fail |