docs: channel setup guides with compile-tested TOML examples #226
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: secret-scan | |
| on: | |
| pull_request: | |
| branches: [main] | |
| # Also run on pushes to main so we catch anything merged without a PR gate. | |
| push: | |
| branches: [main] | |
| # Manual trigger for on-demand scans. | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| gitleaks: | |
| name: gitleaks scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| persist-credentials: false | |
| # Check out the PR head itself instead of GitHub's synthetic | |
| # merge ref so the explicit gitleaks range below is stable. | |
| ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} | |
| fetch-depth: 0 | |
| - name: Install gitleaks | |
| env: | |
| GITLEAKS_VERSION: 8.24.3 | |
| run: | | |
| set -euo pipefail | |
| curl -sSfL \ | |
| "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \ | |
| -o /tmp/gitleaks.tar.gz | |
| tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks | |
| sudo install -m 0755 /tmp/gitleaks /usr/local/bin/gitleaks | |
| gitleaks version | |
| - name: Run gitleaks on PR range | |
| if: github.event_name == 'pull_request' | |
| env: | |
| BASE_REF: ${{ github.event.pull_request.base.ref }} | |
| GITHUB_TOKEN: ${{ github.token }} | |
| run: | | |
| set -euo pipefail | |
| case "$BASE_REF" in | |
| ""|/*|*..*|*"@{"*|*\\*|*[!A-Za-z0-9._/-]*) | |
| echo "Refusing unsafe base ref: $BASE_REF" >&2 | |
| exit 1 | |
| ;; | |
| esac | |
| auth_header="$(printf 'x-access-token:%s' "${GITHUB_TOKEN}" | base64 | tr -d '\n')" | |
| echo "::add-mask::${auth_header}" | |
| git -c "http.https://github.com/.extraheader=AUTHORIZATION: basic ${auth_header}" \ | |
| fetch --no-tags origin \ | |
| "+refs/heads/${BASE_REF}:refs/remotes/origin/${BASE_REF}" | |
| base="$(git merge-base HEAD "origin/${BASE_REF}")" | |
| range="${base}..HEAD" | |
| echo "Scanning PR range: ${range}" | |
| gitleaks detect --config .gitleaks.toml --redact -v --exit-code=2 --log-opts="${range}" | |
| - name: Run gitleaks on pushed commits | |
| if: github.event_name == 'push' | |
| env: | |
| BEFORE_SHA: ${{ github.event.before }} | |
| AFTER_SHA: ${{ github.sha }} | |
| run: | | |
| set -euo pipefail | |
| before="$BEFORE_SHA" | |
| after="$AFTER_SHA" | |
| if [ -z "${before}" ] || [ "${before}" = "0000000000000000000000000000000000000000" ]; then | |
| range="HEAD~1..HEAD" | |
| else | |
| range="${before}..${after}" | |
| fi | |
| echo "Scanning push range: ${range}" | |
| gitleaks detect --config .gitleaks.toml --redact -v --exit-code=2 --log-opts="${range}" | |
| - name: Run gitleaks manually | |
| if: github.event_name == 'workflow_dispatch' | |
| run: gitleaks detect --config .gitleaks.toml --redact -v --exit-code=2 --log-opts="HEAD~1..HEAD" |