Skip to content

feat: add rule matching secrets used without environment#10

Merged
NyanKiyoshi merged 1 commit intomainfrom
feat/yaml/gha/add-secrets-without-environment
Mar 5, 2026
Merged

feat: add rule matching secrets used without environment#10
NyanKiyoshi merged 1 commit intomainfrom
feat/yaml/gha/add-secrets-without-environment

Conversation

@NyanKiyoshi
Copy link
Copy Markdown
Member

@NyanKiyoshi NyanKiyoshi commented Mar 4, 2026

This adds a Semgrep rule that ensures all ${{ secrets.XXX }} interpolations use the environment keyword to ensure blast radius is limited and to ensure protection rules are followed (branch protections, tag protections, …).

@NyanKiyoshi NyanKiyoshi self-assigned this Mar 4, 2026
NyanKiyoshi added a commit that referenced this pull request Mar 4, 2026
@NyanKiyoshi
chore: upgrade Semgrep to latest
b07a0b1 
Needed by #10, latest version fixes a bug with the `--validate` command (which causes the CI to fail). Version is also ancient thus needs upgrading
@NyanKiyoshi NyanKiyoshi mentioned this pull request Mar 4, 2026
Merged
@NyanKiyoshi NyanKiyoshi force-pushed the feat/yaml/gha/add-secrets-without-environment branch from cd9feed to fb68cdc Compare March 4, 2026 17:46
@NyanKiyoshi NyanKiyoshi changed the base branch from main to chore/upgrade-semgrep March 4, 2026 17:46
@NyanKiyoshi NyanKiyoshi marked this pull request as ready for review March 4, 2026 17:47
@NyanKiyoshi NyanKiyoshi requested review from a team, IKarbowiak, cmiacz and przlada March 4, 2026 17:47
IKarbowiak
IKarbowiak previously approved these changes Mar 5, 2026
View reviewed changes
NyanKiyoshi added a commit that referenced this pull request Mar 5, 2026
@NyanKiyoshi
chore: upgrade Semgrep to latest (#11)
c13b396 
Needed by #10, latest version fixes a bug with the `--validate` command (which causes the CI to fail). Version is also ancient thus needs upgrading
Base automatically changed from chore/upgrade-semgrep to main March 5, 2026 12:03
@NyanKiyoshi NyanKiyoshi dismissed IKarbowiak’s stale review March 5, 2026 12:03

The base branch was changed.

@NyanKiyoshi
feat: add rule matching secrets used without environment
2f61598 
This adds a Semgrep rule that ensures all `${{ secrets.XXX }}` interpolations use the `environment` keyword to ensure blast radius is limited and to ensure protection rules are followed (branch protections, tag protections, …).
@NyanKiyoshi NyanKiyoshi force-pushed the feat/yaml/gha/add-secrets-without-environment branch from fb68cdc to 2f61598 Compare March 5, 2026 12:06
@NyanKiyoshi
Copy link
Copy Markdown
Member Author

NyanKiyoshi commented Mar 5, 2026

(Branch was rebased cleaned)

@NyanKiyoshi NyanKiyoshi requested a review from IKarbowiak March 5, 2026 12:07
@NyanKiyoshi NyanKiyoshi merged commit 769068a into main Mar 5, 2026
7 checks passed
@NyanKiyoshi NyanKiyoshi deleted the feat/yaml/gha/add-secrets-without-environment branch March 5, 2026 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IKarbowiak IKarbowiak IKarbowiak approved these changes

@cmiacz cmiacz Awaiting requested review from cmiacz cmiacz was automatically assigned from saleor/python-guild

@przlada przlada Awaiting requested review from przlada przlada was automatically assigned from saleor/python-guild

Assignees

@NyanKiyoshi NyanKiyoshi

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NyanKiyoshi @IKarbowiak