chore(pre-commit): add pre-commit config and non-blocking secret-scan… #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret Scanning | ||
| on: | ||
| push: {} | ||
| pull_request: {} | ||
| jobs: | ||
| detect-secrets: | ||
| name: Detect Secrets (non-blocking) | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: '3.x' | ||
| - name: Install detect-secrets | ||
| run: python -m pip install detect-secrets==1.4.0 | ||
| - name: Run detect-secrets scan (non-blocking) | ||
| run: | | ||
| detect-secrets scan --all-files --json > detect-secrets-output.json || true | ||
| continue-on-error: true | ||
| - name: Upload detect-secrets report | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: detect-secrets-report | ||
| path: detect-secrets-output.json | ||
| - name: Optional: Run gitleaks (Docker) | ||
| run: | | ||
| docker run --rm -v "$PWD":/repo zricethezav/gitleaks:8.18.0 detect --source=/repo --report-path=/repo/gitleaks-report.json || true | ||
| continue-on-error: true | ||
| - name: Upload gitleaks report | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: gitleaks-report | ||
| path: gitleaks-report.json | ||
| - name: Notice | ||
| run: | | ||
| echo "This workflow produces non-blocking secret-scan reports and uploads them as artifacts for manual review.\n" \ | ||
| "To enable blocking scans, maintainers should review the report artifacts, create a sanitized `.secrets.baseline` for detect-secrets, and update the workflow to fail on detections." | ||