Skip to content

chore(ci): bump astral-sh/setup-uv from 7.6.0 to 8.3.2 (#393) #71

chore(ci): bump astral-sh/setup-uv from 7.6.0 to 8.3.2 (#393)

chore(ci): bump astral-sh/setup-uv from 7.6.0 to 8.3.2 (#393) #71

Workflow file for this run

# Scans for committed secrets with gitleaks: new commits on pull_request/push, full
# history on the weekly schedule. Uploads SARIF to the Security tab. Uses the
# MIT-licensed gitleaks binary, not the licensed action.
name: Secret Scan
on:
pull_request:
branches: [main]
push:
branches: [main]
schedule:
- cron: '17 9 * * 1'
workflow_dispatch:
permissions:
contents: read
concurrency:
group: secret-scan-${{ github.ref }}
cancel-in-progress: true
jobs:
gitleaks:
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
security-events: write
env:
GITLEAKS_VERSION: "8.30.1"
# SHA-256 of gitleaks_<version>_linux_x64.tar.gz — update together with the version.
GITLEAKS_SHA256: "551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb"
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
fetch-depth: 0
- name: Install gitleaks
run: |
tarball="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
curl -sSfL -O "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/${tarball}"
echo "${GITLEAKS_SHA256} ${tarball}" | sha256sum -c -
tar -xzf "${tarball}"
sudo mv gitleaks /usr/local/bin/
gitleaks --version
- name: Run gitleaks
id: gitleaks
env:
# Provided by GitHub for the triggering event; empty otherwise. Passed via env
# (not inline ${{ }}) so they cannot be interpolated into the shell.
PR_BASE: ${{ github.event.pull_request.base.sha }}
PR_HEAD: ${{ github.event.pull_request.head.sha }}
PUSH_BEFORE: ${{ github.event.before }}
PUSH_AFTER: ${{ github.sha }}
run: |
NULL_SHA="0000000000000000000000000000000000000000"
LOG_OPTS=""
if [ -n "$PR_BASE" ]; then
# pull_request: scan only the commits this PR adds
LOG_OPTS="--log-opts=${PR_BASE}..${PR_HEAD}"
elif [ -n "$PUSH_BEFORE" ] && [ "$PUSH_BEFORE" != "$NULL_SHA" ]; then
# push: scan only the newly pushed commits
LOG_OPTS="--log-opts=${PUSH_BEFORE}..${PUSH_AFTER}"
fi
# schedule / workflow_dispatch / branch-creating push: LOG_OPTS empty -> full history
set +e
gitleaks git --redact $LOG_OPTS --report-path=gitleaks-report.sarif --report-format=sarif .
echo "exit_code=$?" >> "$GITHUB_OUTPUT"
set -e
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
if: always()
with:
name: gitleaks.sarif
path: gitleaks-report.sarif
if-no-files-found: warn
- uses: github/codeql-action/upload-sarif@5e7a52feb2a3dfb87f88be2af33b9e2275f48de6 # v4.32.2
if: always() && hashFiles('gitleaks-report.sarif') != ''
continue-on-error: true
with:
sarif_file: gitleaks-report.sarif
- name: Fail on findings or scan error
if: steps.gitleaks.outputs.exit_code != '0'
env:
EXIT_CODE: ${{ steps.gitleaks.outputs.exit_code }}
run: |
if [ "$EXIT_CODE" = "1" ]; then
echo "::error::gitleaks found secrets — see the SARIF artifact / Security tab"
else
echo "::error::gitleaks failed to run (exit $EXIT_CODE)"
fi
exit 1