Bump guibranco/github-file-reader-action-v2 from 2.2.612 to 2.2.620 #11
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Infisical secrets check | |
on: | |
workflow_dispatch: | |
pull_request: | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
secrets-scan: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
pull-requests: write | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set Infisical package source | |
shell: bash | |
run: curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash | |
- name: Install tools | |
shell: bash | |
run: | | |
sudo apt-get update && sudo apt-get install -y infisical | |
pip install csvkit | |
npm install -g csv-to-markdown-table | |
- name: Run scan | |
shell: bash | |
run: infisical scan --redact -f csv -r secrets-result-raw.csv 2>&1 | tee >(sed -r 's/\x1b\[[0-9;]*m//g' >secrets-result.log) | |
- name: Generate report | |
shell: bash | |
if: failure() | |
run: | | |
if [[ -s secrets-result-raw.csv ]]; then | |
csvformat -M $'\r' secrets-result-raw.csv | sed -e ':a' -e 'N;$!ba' -e 's/\n/\\n/g' | tr '\r' '\n' | head -n 11 >secrets-result.csv | |
csv-to-markdown-table --delim , --headers <secrets-result.csv >secrets-result.md | |
fi | |
- name: Upload artifacts secrets-result.log | |
uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
name: report-log | |
path: secrets-result.log | |
- name: Upload artifacts secrets-result.csv | |
uses: actions/upload-artifact@v4 | |
if: failure() | |
with: | |
name: report-csv | |
path: secrets-result.csv | |
- name: Upload artifacts secrets-result.md | |
uses: actions/upload-artifact@v4 | |
if: failure() | |
with: | |
name: report-md | |
path: secrets-result.md | |
- name: Read secrets-result.log | |
uses: guibranco/[email protected] | |
if: always() | |
id: log | |
with: | |
path: secrets-result.log | |
- name: Read secrets-result.md | |
uses: guibranco/[email protected] | |
if: failure() | |
id: report | |
with: | |
path: secrets-result.md | |
- name: Update PR with comment | |
uses: mshick/add-pr-comment@v2 | |
if: always() | |
with: | |
refresh-message-position: true | |
message-id: 'secrets-result' | |
message: | | |
**Infisical secrets check:** :white_check_mark: No secrets leaked! | |
**Scan results:** | |
``` | |
${{ steps.log.outputs.contents }} | |
``` | |
message-failure: | | |
**Infisical secrets check:** :rotating_light: Secrets leaked! | |
**Scan results:** | |
``` | |
${{ steps.log.outputs.contents }} | |
``` | |
<details> | |
<summary>🔎 Detected secrets in your GIT history</summary> | |
${{ steps.report.outputs.contents }} | |
</details> | |
message-cancelled: | | |
**Infisical secrets check:** :o: Secrets check cancelled! |