revert: #3474 newline fix breaks unit tests, needs different approach #56
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret scan | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - master | |
| - workbench-app-issue-factory | |
| pull_request: | |
| branches: | |
| - master | |
| jobs: | |
| secret-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Reject committed credential files | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| blocked_paths='(^|/)(\.git-credentials|fetch_diffs\.py|bug_numbers\.txt|BUG_TRACKER\.md)$|(^|/)pr_diffs/' | |
| if git ls-files | grep -E "$blocked_paths"; then | |
| echo "Blocked local credential/scratch files are tracked. Remove them before merging." | |
| exit 1 | |
| fi | |
| - name: Reject obvious GitHub token patterns | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| if git grep -n -I -E 'github_pat_[A-Za-z0-9_]+|gh[pousr]_[A-Za-z0-9_]{20,}' -- . ':!gradle/wrapper/gradle-wrapper.jar'; then | |
| echo "Potential GitHub token found in tracked files. Revoke the token and remove it from history." | |
| exit 1 | |
| fi |