# Filename: .github/workflows/kingfisher-secrets-scan.yaml # Gitea Actions workflow for ACT Runner to scan for leaked secrets using Kingfisher name: Scan for leaked secrets using Kingfisher on: push: pull_request: workflow_dispatch: jobs: kingfisher-secrets-scan: runs-on: ubuntu-latest steps: - name: Checkout Code uses: actions/checkout@v5 - name: Get Kingfisher version and arch id: get_version_arch run: | VERSION=$(curl -s https://api.github.com/repos/mongodb/kingfisher/releases/latest | jq -r '.tag_name') echo "version=$VERSION" >> $GITHUB_OUTPUT ARCH_RAW=$(arch) if [ "$ARCH_RAW" = "x86_64" ]; then ARCH="x64" elif [ "$ARCH_RAW" = "aarch64" ]; then ARCH="arm64" else echo "Unsupported architecture: $ARCH_RAW" exit 1 fi echo "arch=$ARCH" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT - name: Cache kingfisher binary id: cache uses: actions/cache@v4 with: path: /usr/local/bin key: ${{ runner.os }}-kingfisher-${{ steps.get_version_arch.outputs.version }}-${{ steps.get_version_arch.outputs.arch }} restore-keys: | ${{ runner.os }}-kingfisher-${{ steps.get_version_arch.outputs.arch }} - name: Install kingfisher if cache missed if: steps.cache.outputs.cache-hit != 'true' run: | URL=$(curl -s https://api.github.com/repos/mongodb/kingfisher/releases/latest | \ jq -r --arg arch "${{ steps.get_version_arch.outputs.arch }}" '.assets[] | select(.name | test("kingfisher-linux-" + $arch + "\\.tgz")) | .browser_download_url') echo "Downloading Kingfisher from $URL" curl -sL $URL | tar -xz -C /usr/local/bin kingfisher chmod +x /usr/local/bin/kingfisher - name: Run Kingfisher scan continue-on-error: true run: | kingfisher scan -n -r ${{ github.workspace }}