Skip to content

chore(deps): bump mistune from 3.2.1 to 3.3.0 #102

chore(deps): bump mistune from 3.2.1 to 3.3.0

chore(deps): bump mistune from 3.2.1 to 3.3.0 #102

Workflow file for this run

name: secret-scan
# Scans NEW commits on every PR and push for committed credentials, using
# gitleaks with the repo's .gitleaks.toml (default rules + a BioPortal/NCBO
# API-key rule that GitHub's native secret scanning misses because the key is
# a bare UUID). This gates new leaks; secrets already in history are handled by
# rotation, not by failing CI forever, so the scan is limited to the new range.
on:
pull_request:
push:
branches: [main]
permissions:
contents: read
jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
persist-credentials: false
- name: Install gitleaks
env:
GITLEAKS_VERSION: 8.30.1
run: |
set -euo pipefail
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
| tar -xz -C /usr/local/bin gitleaks
gitleaks version
- name: Scan new commits
env:
EVENT: ${{ github.event_name }}
PR_BASE: ${{ github.event.pull_request.base.sha }}
PR_HEAD: ${{ github.event.pull_request.head.sha }}
PUSH_BEFORE: ${{ github.event.before }}
PUSH_HEAD: ${{ github.sha }}
run: |
set -euo pipefail
if [ "$EVENT" = "pull_request" ]; then
RANGE="$PR_BASE..$PR_HEAD"
elif [ -n "$PUSH_BEFORE" ] && [ "$PUSH_BEFORE" != "0000000000000000000000000000000000000000" ]; then
RANGE="$PUSH_BEFORE..$PUSH_HEAD"
else
RANGE=""
fi
if [ -n "$RANGE" ]; then
echo "Scanning commit range: $RANGE"
gitleaks detect --source . --config .gitleaks.toml --redact --no-banner --log-opts="$RANGE"
else
echo "No prior ref; scanning full tree"
gitleaks detect --source . --config .gitleaks.toml --redact --no-banner
fi