Add .github/workflows/kingfisher-secrets-scan.yaml

2025-11-25 08:10:33 +00:00
parent 158590a399
commit 8c2e42c47e
1 changed files with 60 additions and 0 deletions
--- a/.github/workflows/kingfisher-secrets-scan.yaml
+++ b/.github/workflows/kingfisher-secrets-scan.yaml
@@ -0,0 +1,60 @@
 # Filename: .github/workflows/kingfisher-secrets-scan.yaml
 # Gitea Actions workflow for ACT Runner to scan for leaked secrets using Kingfisher
 name: Scan for leaked secrets using Kingfisher
 on:
  push:
  pull_request:
  workflow_dispatch:
 jobs:
  kingfisher-secrets-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v5
      - name: Get Kingfisher version and arch
        id: get_version_arch
        run: |
          VERSION=$(curl -s https://api.github.com/repos/mongodb/kingfisher/releases/latest | jq -r '.tag_name')
          echo "version=$VERSION" >> $GITHUB_OUTPUT
          ARCH_RAW=$(arch)
          if [ "$ARCH_RAW" = "x86_64" ]; then
            ARCH="x64"
          elif [ "$ARCH_RAW" = "aarch64" ]; then
            ARCH="arm64"
          else
            echo "Unsupported architecture: $ARCH_RAW"
            exit 1
          fi
          echo "arch=$ARCH" >> $GITHUB_OUTPUT
          cat $GITHUB_OUTPUT
      - name: Cache kingfisher binary
        id: cache
        uses: actions/cache@v4
        with:
          path: /usr/local/bin
          key: ${{ runner.os }}-kingfisher-${{ steps.get_version_arch.outputs.version }}-${{ steps.get_version_arch.outputs.arch }}
          restore-keys: |
            ${{ runner.os }}-kingfisher-${{ steps.get_version_arch.outputs.arch }}
      - name: Install kingfisher if cache missed
        if: steps.cache.outputs.cache-hit != 'true'
        run: |
          URL=$(curl -s https://api.github.com/repos/mongodb/kingfisher/releases/latest | \
            jq -r --arg arch "${{ steps.get_version_arch.outputs.arch }}" '.assets[] |
              select(.name | test("kingfisher-linux-" + $arch + "\\.tgz")) |
              .browser_download_url')
          echo "Downloading Kingfisher from $URL"
          curl -sL $URL | tar -xz -C /usr/local/bin kingfisher
          chmod +x /usr/local/bin/kingfisher
      - name: Run Kingfisher scan
        continue-on-error: true
        run: |
          kingfisher scan -n -r ${{ github.workspace }}