[CHORE] Add build provenance attestations and checksums to release workflows #73
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Scans for committed secrets with gitleaks: new commits on pull_request/push, full | |
| # history on the weekly schedule. Uploads SARIF to the Security tab. Uses the | |
| # MIT-licensed gitleaks binary, not the licensed action. | |
| name: Secret Scan | |
| on: | |
| pull_request: | |
| branches: [main] | |
| push: | |
| branches: [main] | |
| schedule: | |
| - cron: '17 9 * * 1' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: secret-scan-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| gitleaks: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: read | |
| security-events: write | |
| env: | |
| GITLEAKS_VERSION: "8.30.1" | |
| # SHA-256 of gitleaks_<version>_linux_x64.tar.gz — update together with the version. | |
| GITLEAKS_SHA256: "551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb" | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install gitleaks | |
| run: | | |
| tarball="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | |
| curl -sSfL -O "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/${tarball}" | |
| echo "${GITLEAKS_SHA256} ${tarball}" | sha256sum -c - | |
| tar -xzf "${tarball}" | |
| sudo mv gitleaks /usr/local/bin/ | |
| gitleaks --version | |
| - name: Run gitleaks | |
| id: gitleaks | |
| env: | |
| # Provided by GitHub for the triggering event; empty otherwise. Passed via env | |
| # (not inline ${{ }}) so they cannot be interpolated into the shell. | |
| PR_BASE: ${{ github.event.pull_request.base.sha }} | |
| PR_HEAD: ${{ github.event.pull_request.head.sha }} | |
| PUSH_BEFORE: ${{ github.event.before }} | |
| PUSH_AFTER: ${{ github.sha }} | |
| run: | | |
| NULL_SHA="0000000000000000000000000000000000000000" | |
| LOG_OPTS="" | |
| if [ -n "$PR_BASE" ]; then | |
| # pull_request: scan only the commits this PR adds | |
| LOG_OPTS="--log-opts=${PR_BASE}..${PR_HEAD}" | |
| elif [ -n "$PUSH_BEFORE" ] && [ "$PUSH_BEFORE" != "$NULL_SHA" ]; then | |
| # push: scan only the newly pushed commits | |
| LOG_OPTS="--log-opts=${PUSH_BEFORE}..${PUSH_AFTER}" | |
| fi | |
| # schedule / workflow_dispatch / branch-creating push: LOG_OPTS empty -> full history | |
| set +e | |
| gitleaks git --redact $LOG_OPTS --report-path=gitleaks-report.sarif --report-format=sarif . | |
| echo "exit_code=$?" >> "$GITHUB_OUTPUT" | |
| set -e | |
| - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| if: always() | |
| with: | |
| name: gitleaks.sarif | |
| path: gitleaks-report.sarif | |
| if-no-files-found: warn | |
| - uses: github/codeql-action/upload-sarif@5e7a52feb2a3dfb87f88be2af33b9e2275f48de6 # v4.32.2 | |
| if: always() && hashFiles('gitleaks-report.sarif') != '' | |
| continue-on-error: true | |
| with: | |
| sarif_file: gitleaks-report.sarif | |
| - name: Fail on findings or scan error | |
| if: steps.gitleaks.outputs.exit_code != '0' | |
| env: | |
| EXIT_CODE: ${{ steps.gitleaks.outputs.exit_code }} | |
| run: | | |
| if [ "$EXIT_CODE" = "1" ]; then | |
| echo "::error::gitleaks found secrets — see the SARIF artifact / Security tab" | |
| else | |
| echo "::error::gitleaks failed to run (exit $EXIT_CODE)" | |
| fi | |
| exit 1 |