From 0ab5469ed7b396d067816c102f2c20b175dfebd4 Mon Sep 17 00:00:00 2001 From: currantw Date: Mon, 17 Nov 2025 13:33:27 -0800 Subject: [PATCH 1/4] Add `git-secrets-scan` workflow Signed-off-by: currantw --- .github/workflows/git-secrets-scan.yml | 37 ++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/git-secrets-scan.yml diff --git a/.github/workflows/git-secrets-scan.yml b/.github/workflows/git-secrets-scan.yml new file mode 100644 index 00000000..14ff0dce --- /dev/null +++ b/.github/workflows/git-secrets-scan.yml @@ -0,0 +1,37 @@ +name: Git Secrets Scan + +permissions: + contents: read + +on: + push: + branches: + - main + - release-* + - v* + workflow_dispatch: + +concurrency: + group: git-secrets-scan-${{ github.head_ref || github.ref }} + cancel-in-progress: true + +jobs: + scan: + runs-on: ubuntu-latest + timeout-minutes: 10 + + steps: + - name: Checkout code + uses: actions/checkout@v5 + + - name: Install git-secrets + run: | + git clone --depth 1 --branch 1.3.0 https://github.com/awslabs/git-secrets.git + cd git-secrets + sudo make install + + - name: Configure git-secrets + run: git secrets --register-aws + + - name: Run git-secrets + run: git secrets --scan From 4009714591b516188e27744c1388ddf153de7754 Mon Sep 17 00:00:00 2001 From: currantw Date: Wed, 19 Nov 2025 15:15:13 -0800 Subject: [PATCH 2/4] fix(ci): run git-secrets scan on pull requests instead of push Change git-secrets workflow to trigger on pull_request events rather than push events to main/release branches. This prevents secrets from being merged rather than detecting them after the fact. Addresses review feedback to catch secrets before merge. Signed-off-by: currantw --- .github/workflows/git-secrets-scan.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/git-secrets-scan.yml b/.github/workflows/git-secrets-scan.yml index 14ff0dce..8d750df3 100644 --- a/.github/workflows/git-secrets-scan.yml +++ b/.github/workflows/git-secrets-scan.yml @@ -4,11 +4,7 @@ permissions: contents: read on: - push: - branches: - - main - - release-* - - v* + pull_request: workflow_dispatch: concurrency: From ed3edb1600eb7603ac8b980f4ec26c1f19ac6c87 Mon Sep 17 00:00:00 2001 From: currantw Date: Wed, 19 Nov 2025 22:59:18 -0800 Subject: [PATCH 3/4] Fix formatting Signed-off-by: currantw --- .github/workflows/git-secrets-scan.yml | 40 +++++++++++++------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/git-secrets-scan.yml b/.github/workflows/git-secrets-scan.yml index 8d750df3..d8e42da4 100644 --- a/.github/workflows/git-secrets-scan.yml +++ b/.github/workflows/git-secrets-scan.yml @@ -1,33 +1,33 @@ name: Git Secrets Scan permissions: - contents: read + contents: read on: - pull_request: - workflow_dispatch: + pull_request: + workflow_dispatch: concurrency: - group: git-secrets-scan-${{ github.head_ref || github.ref }} - cancel-in-progress: true + group: git-secrets-scan-${{ github.head_ref || github.ref }} + cancel-in-progress: true jobs: - scan: - runs-on: ubuntu-latest - timeout-minutes: 10 + scan: + runs-on: ubuntu-latest + timeout-minutes: 10 - steps: - - name: Checkout code - uses: actions/checkout@v5 + steps: + - name: Checkout code + uses: actions/checkout@v5 - - name: Install git-secrets - run: | - git clone --depth 1 --branch 1.3.0 https://github.com/awslabs/git-secrets.git - cd git-secrets - sudo make install + - name: Install git-secrets + run: | + git clone --depth 1 --branch 1.3.0 https://github.com/awslabs/git-secrets.git + cd git-secrets + sudo make install - - name: Configure git-secrets - run: git secrets --register-aws + - name: Configure git-secrets + run: git secrets --register-aws - - name: Run git-secrets - run: git secrets --scan + - name: Run git-secrets + run: git secrets --scan From a0e92cba82714e17bab4247d340561f70a3a6b0d Mon Sep 17 00:00:00 2001 From: currantw Date: Wed, 19 Nov 2025 23:01:49 -0800 Subject: [PATCH 4/4] Arrggg. More linting problems Signed-off-by: currantw --- .github/workflows/git-secrets-scan.yml | 40 +++++++++++++------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/git-secrets-scan.yml b/.github/workflows/git-secrets-scan.yml index d8e42da4..8d750df3 100644 --- a/.github/workflows/git-secrets-scan.yml +++ b/.github/workflows/git-secrets-scan.yml @@ -1,33 +1,33 @@ name: Git Secrets Scan permissions: - contents: read + contents: read on: - pull_request: - workflow_dispatch: + pull_request: + workflow_dispatch: concurrency: - group: git-secrets-scan-${{ github.head_ref || github.ref }} - cancel-in-progress: true + group: git-secrets-scan-${{ github.head_ref || github.ref }} + cancel-in-progress: true jobs: - scan: - runs-on: ubuntu-latest - timeout-minutes: 10 + scan: + runs-on: ubuntu-latest + timeout-minutes: 10 - steps: - - name: Checkout code - uses: actions/checkout@v5 + steps: + - name: Checkout code + uses: actions/checkout@v5 - - name: Install git-secrets - run: | - git clone --depth 1 --branch 1.3.0 https://github.com/awslabs/git-secrets.git - cd git-secrets - sudo make install + - name: Install git-secrets + run: | + git clone --depth 1 --branch 1.3.0 https://github.com/awslabs/git-secrets.git + cd git-secrets + sudo make install - - name: Configure git-secrets - run: git secrets --register-aws + - name: Configure git-secrets + run: git secrets --register-aws - - name: Run git-secrets - run: git secrets --scan + - name: Run git-secrets + run: git secrets --scan