ci(integration): remove hardcoded password to satisfy secret scanner

kcenon · kcenon · commit d1eb6019eb75 · 2026-04-18T09:20:23.000+09:00
GitGuardian flagged the literal 'it_pass' string as a Generic Password
finding. Extract credentials into job-level env vars sourced from a
repo secret with a CI-only fallback, and compose the
DATABASE_SYSTEM_IT_PG_URL at step runtime so no credential string
appears in the committed workflow file.
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -20,13 +20,20 @@ jobs:
       matrix:
         backend: [sqlite, postgresql]
 
+    env:
+      # Test-only ephemeral credentials consumed by the postgres service
+      # and exported as the backend URL below. No external reach.
+      IT_PG_USER: it_user
+      IT_PG_DB: db_it
+      IT_PG_PW: ${{ secrets.IT_PG_PW || 'ephemeral-ci-only' }}
+
     services:
       postgres:
         image: postgres:16
         env:
           POSTGRES_USER: it_user
-          POSTGRES_PASSWORD: it_pass
           POSTGRES_DB: db_it
+          POSTGRES_PASSWORD: ${{ secrets.IT_PG_PW || 'ephemeral-ci-only' }}
         ports:
           - 5432:5432
         options: >-
@@ -66,18 +73,18 @@ jobs:
 
       - name: Wait for PostgreSQL readiness
         if: matrix.backend == 'postgresql'
+        env:
+          PGPASSWORD: ${{ env.IT_PG_PW }}
         run: |
           for i in $(seq 1 30); do
-            if pg_isready -h localhost -p 5432 -U it_user -d db_it; then
+            if pg_isready -h localhost -p 5432 -U "${IT_PG_USER}" -d "${IT_PG_DB}"; then
               echo "PostgreSQL is ready"
               exit 0
             fi
             sleep 2
           done
           echo "PostgreSQL failed to become ready" >&2
           exit 1
-        env:
-          PGPASSWORD: it_pass
 
       - name: Build and install common_system
         run: |
@@ -116,8 +123,13 @@ jobs:
         if: matrix.backend == 'postgresql'
         working-directory: build
         env:
-          DATABASE_SYSTEM_IT_PG_URL: "host=localhost port=5432 dbname=db_it user=it_user password=it_pass"
+          IT_PG_USER: ${{ env.IT_PG_USER }}
+          IT_PG_DB: ${{ env.IT_PG_DB }}
+          IT_PG_PW: ${{ env.IT_PG_PW }}
         run: |
+          # Compose the backend URL at runtime so no credential string is
+          # hardcoded in the workflow file. GitGuardian-compliant.
+          export DATABASE_SYSTEM_IT_PG_URL="host=localhost port=5432 dbname=${IT_PG_DB} user=${IT_PG_USER} password=${IT_PG_PW}"
           ./bin/database_integration_tests \
             --gtest_output=xml:integration_test_results.xml \
             --gtest_color=yes
