-
Notifications
You must be signed in to change notification settings - Fork 7
95 lines (80 loc) · 2.84 KB
/
Copy pathtest.yml
File metadata and controls
95 lines (80 loc) · 2.84 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
name: Test
on:
push:
branches: [ main ]
paths:
- '**/*.go'
- '**/go.mod'
- '**/go.sum'
- '**/*.sh'
- '.github/workflows/test.yml'
pull_request:
branches: [ main ]
paths:
- '**/*.go'
- '**/go.mod'
- '**/go.sum'
- '**/*.sh'
- '.github/workflows/test.yml'
permissions:
contents: read
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: '1.26.1'
- name: Download dependencies
run: go mod download
- name: Check formatting
run: |
if [ "$(gofmt -l . | wc -l)" -gt 0 ]; then
echo "The following files need formatting:"
gofmt -l .
exit 1
fi
- name: Check for sensitive data in Log() calls
run: |
# Per AGENTS.md privacy guidelines - never log sensitive data
# Check for sensitive variable names being passed as arguments to Log()
# Safe boolean indicators (e.g., has_upn=%v) are allowed
# Excludes test files (where we intentionally test for violations)
# Pattern explanation:
# - Find lines with Log( calls
# - Exclude test files and safe boolean patterns (has_*)
# - Look for sensitive variable names as actual arguments (not in format strings)
violations=$(grep -rn 'utils\.Log\|Log(' --include="*.go" . | \
grep -v "_test.go" | \
grep -vE "(has_upn|has_subscription|has_tenant|has_resource|has_object|has_display)" | \
grep -E "\b(userPrincipalName|subscriptionID|tenantID|resourceID|objectID|displayName)\b" || true)
if [ -n "$violations" ]; then
echo "ERROR: Potential sensitive data logging detected:"
echo "$violations"
echo ""
echo "Per AGENTS.md privacy guidelines, debug logs must not contain:"
echo " - User Principal Names (UPN/email addresses)"
echo " - Display names"
echo " - Tenant IDs or Object IDs"
echo " - Resource IDs (full Azure resource IDs, subscription IDs, resource group IDs)"
echo ""
echo "Use safe alternatives:"
echo " ✓ has_upn=%v (boolean indicator)"
echo " ✓ Found at index 5 (position instead of ID)"
echo " ✓ Loaded 20 subscriptions (count)"
echo " ✓ resource-1 (anonymized identifier)"
exit 1
fi
echo "✓ No sensitive data logging patterns detected"
- name: Run tests
run: make test-ci
- name: Install tmux
run: sudo apt-get update && sudo apt-get install -y tmux
- name: Run integration tests
run: make test-integration
- name: Print version info
run: ./lazyazure --version
- name: Run tests with race detector
run: make test-race