62 lines
2.1 KiB
YAML
62 lines
2.1 KiB
YAML
# Filename: .github/workflows/kingfisher-secrets-scan.yaml
|
|
# Gitea Actions workflow for ACT Runner to scan for leaked secrets using Kingfisher
|
|
|
|
name: Scan for leaked secrets using Kingfisher
|
|
|
|
on:
|
|
push:
|
|
pull_request:
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
kingfisher-secrets-scan:
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout Code
|
|
uses: actions/checkout@v5
|
|
|
|
- name: Get Kingfisher version and arch
|
|
id: get_version_arch
|
|
run: |
|
|
VERSION=$(curl -s https://api.github.com/repos/mongodb/kingfisher/releases/latest | jq -r '.tag_name')
|
|
echo "version=$VERSION" >> $GITHUB_OUTPUT
|
|
|
|
ARCH_RAW=$(arch)
|
|
if [ "$ARCH_RAW" = "x86_64" ]; then
|
|
ARCH="x64"
|
|
elif [ "$ARCH_RAW" = "aarch64" ]; then
|
|
ARCH="arm64"
|
|
else
|
|
echo "Unsupported architecture: $ARCH_RAW"
|
|
exit 1
|
|
fi
|
|
echo "arch=$ARCH" >> $GITHUB_OUTPUT
|
|
cat $GITHUB_OUTPUT
|
|
|
|
- name: Cache kingfisher binary
|
|
id: cache
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: /usr/local/bin
|
|
key: ${{ runner.os }}-kingfisher-${{ steps.get_version_arch.outputs.version }}-${{ steps.get_version_arch.outputs.arch }}
|
|
restore-keys: |
|
|
${{ runner.os }}-kingfisher-${{ steps.get_version_arch.outputs.arch }}
|
|
|
|
- name: Install kingfisher if cache missed
|
|
if: steps.cache.outputs.cache-hit != 'true'
|
|
run: |
|
|
URL=$(curl -s https://api.github.com/repos/mongodb/kingfisher/releases/latest | \
|
|
jq -r --arg arch "${{ steps.get_version_arch.outputs.arch }}" '.assets[] |
|
|
select(.name | test("kingfisher-linux-" + $arch + "\\.tgz")) |
|
|
.browser_download_url')
|
|
echo "Downloading Kingfisher from $URL"
|
|
curl -sL $URL | tar -xz -C /usr/local/bin kingfisher
|
|
chmod +x /usr/local/bin/kingfisher
|
|
|
|
- name: Run Kingfisher scan
|
|
continue-on-error: true
|
|
run: |
|
|
kingfisher scan -n -r ${{ github.workspace }} \
|
|
--exclude='composer.lock' \
|
|
--exclude='package-lock.json' |