Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update infisical-secrets-check.yml #30

Merged
merged 1 commit into from
Jul 14, 2024
Merged

Update infisical-secrets-check.yml #30

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 43 additions & 9 deletions .github/workflows/infisical-secrets-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,14 +26,46 @@ jobs:
shell: bash
run: curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash

- name: Install Infisical
- name: Install tools
shell: bash
run: |
sudo apt-get update && sudo apt-get install -y infisical
pip install csvkit
npm install -g csv-to-markdown-table

- name: Run scan
shell: bash
run: infisical scan --redact -f csv -r secrets-result.csv 2>&1 | tee >(sed -r 's/\x1b\[[0-9;]*m//g' > secrets-result.log)
run: infisical scan --redact -f csv -r secrets-result-raw.csv 2>&1 | tee >(sed -r 's/\x1b\[[0-9;]*m//g' >secrets-result.log)

- name: Generate report
shell: bash
if: failure()
run: |
if [[ -s secrets-result-raw.csv ]]; then
csvformat -M $'\r' secrets-result-raw.csv | sed -e ':a' -e 'N;$!ba' -e 's/\n/\\n/g' | tr '\r' '\n' | head -n 11 >secrets-result.csv
csv-to-markdown-table --delim , --headers <secrets-result.csv >secrets-result.md
fi

- name: Upload artifacts secrets-result.log
uses: actions/upload-artifact@v4
if: always()
with:
name: report-log
path: secrets-result.log

- name: Upload artifacts secrets-result.csv
uses: actions/upload-artifact@v4
if: failure()
with:
name: report-csv
path: secrets-result.csv

- name: Upload artifacts secrets-result.md
uses: actions/upload-artifact@v4
if: failure()
with:
name: report-md
path: secrets-result.md

- name: Read secrets-result.log
uses: guibranco/[email protected]
Comment on lines 26 to 71
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CODE REVIEW

Feedback

  1. Combine Install Commands: Combine apt-get commands to reduce redundancy and enhance readability.
  2. Check Package Installation: Check if csvkit and csv-to-markdown-table are already installed to avoid redundancy.
  3. Error Handling: Add error handling for the curl command to catch download errors.

Code Examples

-      - name: Install tools
+      - name: Install tools
         shell: bash
         run: | 
           sudo apt-get update && sudo apt-get install -y infisical
+          if ! pip show csvkit > /dev/null 2>&1; then pip install csvkit; fi
+          if ! npm list -g csv-to-markdown-table > /dev/null 2>&1; then npm install -g csv-to-markdown-table; fi

-       run: curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh'
+       run: curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' || (echo "Failed to download script"; exit 1)

Expand All @@ -42,12 +74,12 @@ jobs:
with:
path: secrets-result.log

- name: Read secrets-result.log
- name: Read secrets-result.md
uses: guibranco/[email protected]
if: failure()
id: report
with:
path: secrets-result.csv
path: secrets-result.md

- name: Update PR with comment
uses: mshick/add-pr-comment@v2
Comment on lines 74 to 85
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CODE REVIEW

  1. Consistent File Extensions:
    Good change in ensuring the file extension is consistent across actions.

  2. Additional Improvements:

    • Consider adding comments for clarity.
# Ensuring log format consistency as markdown
with:
  path: secrets-result.md

Keep the commit messages more descriptive. "Read secrets-result.log" should be updated to "Read secrets-result.md for consistency".

Expand All @@ -62,17 +94,19 @@ jobs:
```
${{ steps.log.outputs.contents }}
```

message-failure: |
**Infisical secrets check:** :rotating_light: Secrets leaked!

**Scan results:**
```
${{ steps.log.outputs.contents }}
```
**Scan report:**
```
${{ steps.report.outputs.contents }}
```

<details>
<summary>🔎 Detected secrets in your GIT history</summary>

${{ steps.report.outputs.contents }}

</details>
message-cancelled: |
**Infisical secrets check:** :o: Secrets check cancelled!
Comment on lines 94 to 112
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CODE REVIEW

  1. Inconsistent Markdown usage with backticks: Ensure consistent formatting for better readability.

  2. Improper usage of details summary: Follow HTML standards for clarity.

Suggested Changes:

message-failure: |
  **Infisical secrets check:** :rotating_light: Secrets leaked!     
  
  **Scan results:**

${{ steps.log.outputs.contents }}


<details>
  <summary>🔎 Detected secrets in your GIT history</summary>
  <pre>${{ steps.report.outputs.contents }}</pre>
</details>

Explanation

  1. Requires usage of <pre> within <details> to preserve formatting.