forked from basho/basho_bench
-
Notifications
You must be signed in to change notification settings - Fork 2
42 lines (34 loc) · 1.29 KB
/
detect-secrets.yaml
File metadata and controls
42 lines (34 loc) · 1.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
name: Detect Secrets Scan
on:
push:
branches: ["**"]
pull_request:
branches: [cloudant]
jobs:
detect-secrets:
name: Scan for Secrets (uses committed baseline config)
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install detect-secrets
run: pip install git+https://github.com/ibm/detect-secrets.git@master#egg=detect-secrets
- name: Compare baseline
run: |
cp .secrets.baseline .secrets.baseline.bak
detect-secrets scan --update .secrets.baseline --suppress-unscannable-file-warnings
grep -v '"generated_at":' .secrets.baseline.bak > before.cleaned
grep -v '"generated_at":' .secrets.baseline > after.cleaned
if ! diff before.cleaned after.cleaned > secrets.diff; then
echo "::error::Secrets baseline changed (excluding timestamp)."
cat secrets.diff
rm .secrets.baseline.bak before.cleaned after.cleaned secrets.diff
exit 1
else
echo "✅ No actual secret changes detected."
rm .secrets.baseline.bak before.cleaned after.cleaned secrets.diff
fi