forked from determined-ai/determined
40 lines (38 loc) · 1.22 KB
/
lint-secrets.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
---
name: "Lint secrets"
on: # yamllint disable-line rule:truthy
push:
branches:
- 'main'
- 'releases/**'
pull_request: {}
jobs:
lint-secrets:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
# TODO(danh): this install+configure git-secrets is a good candidate for a
# custom action repo -- closest to our needs I found is:
# https://github.com/kams-mash/gh-secrets-scanner-action
- uses: actions/checkout@v3
with:
repository: awslabs/git-secrets
ref: 1.3.0
path: .tmp/git-secrets-repo
fetch-depth: 0
- name: Compile and install git-secrets
run: |
sudo make -C .tmp/git-secrets-repo install
# needed to avoid having the secret scan include the git-secrets repo
rm -rf .tmp
- name: Configure git-secrets
run: |
# workaround git-secrets requiring the say command
ln -s "$(which echo)" /usr/local/bin/say
git secrets --install
git secrets --register-aws
git secrets --add '"private_key":\s"-----BEGIN\sPRIVATE\sKEY-----'
- name: Run scan
run: git secrets --scan-history