From 8c2e42c47ebdafadbfd03cb15c3c9e73d58744d8 Mon Sep 17 00:00:00 2001
From: jothi <jothi@cripumps.com>
Date: Tue, 25 Nov 2025 08:10:33 +0000
Subject: [PATCH] Add .github/workflows/kingfisher-secrets-scan.yaml

---
 .../workflows/kingfisher-secrets-scan.yaml    | 60 +++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 .github/workflows/kingfisher-secrets-scan.yaml

diff --git a/.github/workflows/kingfisher-secrets-scan.yaml b/.github/workflows/kingfisher-secrets-scan.yaml
new file mode 100644
index 0000000..f4ec8f7
--- /dev/null
+++ b/.github/workflows/kingfisher-secrets-scan.yaml
@@ -0,0 +1,60 @@
+# Filename: .github/workflows/kingfisher-secrets-scan.yaml
+# Gitea Actions workflow for ACT Runner to scan for leaked secrets using Kingfisher
+
+name: Scan for leaked secrets using Kingfisher
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  kingfisher-secrets-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v5
+
+      - name: Get Kingfisher version and arch
+        id: get_version_arch
+        run: |
+          VERSION=$(curl -s https://api.github.com/repos/mongodb/kingfisher/releases/latest | jq -r '.tag_name')
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+          ARCH_RAW=$(arch)
+          if [ "$ARCH_RAW" = "x86_64" ]; then
+            ARCH="x64"
+          elif [ "$ARCH_RAW" = "aarch64" ]; then
+            ARCH="arm64"
+          else
+            echo "Unsupported architecture: $ARCH_RAW"
+            exit 1
+          fi
+          echo "arch=$ARCH" >> $GITHUB_OUTPUT
+          cat $GITHUB_OUTPUT
+
+      - name: Cache kingfisher binary
+        id: cache
+        uses: actions/cache@v4
+        with:
+          path: /usr/local/bin
+          key: ${{ runner.os }}-kingfisher-${{ steps.get_version_arch.outputs.version }}-${{ steps.get_version_arch.outputs.arch }}
+          restore-keys: |
+            ${{ runner.os }}-kingfisher-${{ steps.get_version_arch.outputs.arch }}
+
+      - name: Install kingfisher if cache missed
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: |
+          URL=$(curl -s https://api.github.com/repos/mongodb/kingfisher/releases/latest | \
+            jq -r --arg arch "${{ steps.get_version_arch.outputs.arch }}" '.assets[] |
+              select(.name | test("kingfisher-linux-" + $arch + "\\.tgz")) |
+              .browser_download_url')
+          echo "Downloading Kingfisher from $URL"
+          curl -sL $URL | tar -xz -C /usr/local/bin kingfisher
+          chmod +x /usr/local/bin/kingfisher
+
+      - name: Run Kingfisher scan
+        continue-on-error: true
+        run: |
+          kingfisher scan -n -r ${{ github.workspace }}
\ No newline at end of file