CI: add test-diff actions (#786)

* CI: add test-diff actions

* docs: add diff actions docs

* CI: nit

* add ignore

* docs: update REAMDE

* docs: update REAMDE

.github/workflows/test-diff.yml

@@ -0,0 +1,35 @@
+name: test-diff
+on:
+  push:
+  pull_request:
+permissions:
+  contents: read
+jobs:
+  test-diff:
+    name: "Run secretlint to diff files"
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: setup Node ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+      - name: Get changed files
+        id: changed-files-yaml
+        uses: tj-actions/changed-files@v41
+      - name: Install
+        run: yarn install
+      - name: Build
+        run: yarn run build
+      - name: Run secretlint
+        run: yarn secretlint "${{ steps.changed-files-yaml.outputs.added_files }}"
+        env:
+          ADDED_FILES: ${{ steps.changed-files.outputs.added_files }}
+      - name: "How to Fix?"
+        if: failure()
+        run: |
+          echo '# Sectlint found credentials' >> $GITHUB_STEP_SUMMARY
+          echo 'Please check secretlint result and fix it' >> $GITHUB_STEP_SUMMARY
+          echo 'if you need to ignore the result, please use .secretlintignore file' >> $GITHUB_STEP_SUMMARY
+          echo 'Please see <https://github.com/secretlint/secretlint/blob/master/docs/configuration.md#ignoring-files> for more details' >> $GITHUB_STEP_SUMMARY

.secretlintrc.json

@@ -19,6 +19,17 @@
               "https://hooks.slack.com/services/T11111AA/BAAAA111A/qKirRWalryBGqKirRWalryBG"
             ]
           }
+        },
+        {
+          "id": "@secretlint/secretlint-rule-shopify",
+          "options": {
+            "allows": [
+              "shpss_QlRSJy5AXX1cILNjVatTsEIhFxuPF5ex",
+              "shpat_r8TRc9ZXAvcVvcrmtr7qoVw69WeeY1ex",
+              "shppa_7jqbg9cupMkZRxJKXWz3v8BvS8QBa7hMdJfAex",
+              "shpca_7jqbg9cupMkZRxJKXWz3v8BvS8QBa7hMdJfAex"
+            ]
+          }
         }
       ]
     }

README.md

@@ -467,9 +467,9 @@ jobs:
       - name: setup Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: 18
+          node-version: 20
       - name: Install
-        run: npm install
+        run: npm ci
       - name: Lint with Secretlint
         run: npx secretlint "**/*"
 ```
@@ -481,6 +481,35 @@ This configuration also integrate Pull Request review comment via [actions/setup
 - Example Repository: https://github.com/secretlint/secretlint-github-actions-example
 - Example Pull Request: https://github.com/secretlint/secretlint-github-actions-example/pull/1/files
 
+If you want to only check diff files, please see following example:
+
+```yaml
+name: test-diff
+on: [push, pull_request]
+permissions:
+  contents: read
+jobs:
+  test-diff:
+    name: "Run secretlint to diff files"
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: setup Node ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+      - name: Get changed files
+        id: changed-files-yaml
+        uses: tj-actions/changed-files@v41
+      - name: Install
+        run: npm ci
+      - name: Run secretlint
+        run: npx secretlint "${{ steps.changed-files-yaml.outputs.added_files }}"
+        env:
+          ADDED_FILES: ${{ steps.changed-files.outputs.added_files }}
+```
+
 #### Mega-Linter
 
 [Mega-Linter](https://nvuillam.github.io/mega-linter/) is a linters aggregator natively compliant with any CI tool, embedding [80+ linting apps](https://nvuillam.github.io/mega-linter/supported-linters/), including [**secretlint**](https://nvuillam.github.io/mega-linter/descriptors/credentials_secretlint/) by default.