optimum-intel/.github/workflows/security.yml at main · mlukasze/optimum-intel · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
name: Security Checks

on:
  push:

permissions:
  contents: read

jobs:
  secrets:
    runs-on: ubuntu-latest

    steps:
      - shell: bash
        env:
          REF_NAME: ${{ github.ref_name }}
          HEAD_REF: ${{ github.event.pull_request.head.ref }}
        run: |
          if [ "${{ github.event_name }}" == "push" ]; then
            echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV
            echo "branch=$REF_NAME" >> $GITHUB_ENV
          fi
          if [ "${{ github.event_name }}" == "pull_request" ]; then
            echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV
            echo "branch=$HEAD_REF" >> $GITHUB_ENV
          fi
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          ref: ${{env.branch}}
          fetch-depth: ${{env.depth}}
      - name: Scan for secrets
        uses: trufflesecurity/trufflehog@6bd2d14f7a4bc1e569fa3550efa7ec632a4fa67b  # main