launchplane/.github/workflows/security.yml at main · cbusillo/launchplane · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
---
name: Security

"on":
  pull_request:
  push:
    branches:
      - main
  workflow_dispatch:

concurrency:
  group: >-
    ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  workflow_lint:
    if: >-
      github.event_name != 'pull_request' ||
      github.event.pull_request.head.repo.full_name == github.repository
    runs-on:
      - self-hosted
      - ${{ vars.LAUNCHPLANE_RUNNER_LABEL }}
    permissions:
      contents: read

    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Lint GitHub Actions workflows
        run: |
          docker run --rm \
            -v "${PWD}:/repo" \
            -w /repo \
            rhysd/actionlint:1.7.12 \
            -config-file .github/actionlint.yaml

  secret_scan:
    if: >-
      github.event_name != 'pull_request' ||
      github.event.pull_request.head.repo.full_name == github.repository
    runs-on:
      - self-hosted
      - ${{ vars.LAUNCHPLANE_RUNNER_LABEL }}
    permissions:
      contents: read

    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Scan current tree for committed secrets
        run: |
          scan_path="${RUNNER_TEMP}/gitleaks-source"
          rm -rf "${scan_path}"
          mkdir -p "${scan_path}"
          git ls-files -z | rsync -a --files-from=- --from0 ./ "${scan_path}/"

          docker run --rm \
            -v "${scan_path}:/repo:ro" \
            -w /repo \
            ghcr.io/gitleaks/gitleaks:v8.30.1 detect \
            --source . \
            --no-git \
            --redact \
            --verbose