Add CI example workflow and demo script #2
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Example workflow: use Pipelock in your CI pipeline to scan for secrets | |
| # and verify workspace integrity before deploying AI agent tasks. | |
| # | |
| # Copy this to your repo's .github/workflows/ and adjust as needed. | |
| # | |
| # Prerequisites: add a pipelock.yaml to your repo root. | |
| # Generate one with: pipelock generate config --preset balanced -o pipelock.yaml | |
| name: Pipelock Security Scan | |
| on: | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # needed for git diff | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.24' | |
| - name: Install Pipelock | |
| run: go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest | |
| - name: Validate config | |
| run: pipelock check --config pipelock.yaml | |
| - name: Scan PR diff for secrets | |
| run: git diff origin/main...HEAD | pipelock git scan-diff --config pipelock.yaml | |
| - name: Check workspace integrity | |
| run: | | |
| # Initialize manifest on first run, check on subsequent runs | |
| if [ -f .pipelock-manifest.json ]; then | |
| pipelock integrity check . --manifest .pipelock-manifest.json | |
| else | |
| echo "No manifest found — skipping integrity check" | |
| echo "Run 'pipelock integrity init . --manifest .pipelock-manifest.json' to create one" | |
| fi |