Skip to content

Commit 5c1ecf6

Browse files
committed
ci: add gitleaks secret scanning and GitHub Deployments API
1 parent b9b6581 commit 5c1ecf6

File tree

3 files changed

+105
-3
lines changed

3 files changed

+105
-3
lines changed

.github/workflows/gitleaks.yml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
name: Secret Scanning
2+
3+
on:
4+
push:
5+
branches: [main, master, develop]
6+
pull_request:
7+
branches: [main, master]
8+
9+
permissions:
10+
contents: read
11+
security-events: write
12+
13+
jobs:
14+
gitleaks:
15+
name: Gitleaks Secret Detection
16+
runs-on: ubuntu-latest
17+
steps:
18+
- uses: actions/checkout@v4
19+
with:
20+
fetch-depth: 0
21+
- uses: gitleaks/gitleaks-action@v2
22+
env:
23+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
24+
with:
25+
config-file: .gitleaks.toml
26+
fail: true

.github/workflows/netlify.yml

Lines changed: 55 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ jobs:
1010
runs-on: ubuntu-latest
1111
permissions:
1212
pull-requests: write
13+
deployments: write
1314
steps:
1415
- uses: actions/checkout@v4
1516

@@ -23,11 +24,39 @@ jobs:
2324

2425
- name: Deploy to Netlify (Production)
2526
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
26-
run: npx netlify-cli deploy --dir=public --prod
27+
id: production
28+
run: |
29+
OUTPUT=$(npx netlify-cli deploy --dir=public --prod --json)
30+
DEPLOY_URL=$(echo "$OUTPUT" | jq -r '.deploy_url')
31+
echo "deploy_url=$DEPLOY_URL" >> "$GITHUB_OUTPUT"
2732
env:
2833
NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
2934
NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
3035

36+
- name: Register production deployment
37+
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
38+
uses: actions/github-script@v7
39+
with:
40+
script: |
41+
const deployment = await github.rest.repos.createDeployment({
42+
owner: context.repo.owner,
43+
repo: context.repo.repo,
44+
ref: context.sha,
45+
environment: 'production',
46+
auto_merge: false,
47+
required_contexts: [],
48+
transient_environment: false,
49+
production_environment: true,
50+
});
51+
await github.rest.repos.createDeploymentStatus({
52+
owner: context.repo.owner,
53+
repo: context.repo.repo,
54+
deployment_id: deployment.data.id,
55+
state: 'success',
56+
environment_url: 'https://easypdf-lite.netlify.app',
57+
log_url: `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
58+
});
59+
3160
- name: Deploy to Netlify (Preview)
3261
if: github.event_name == 'pull_request'
3362
id: preview
@@ -39,6 +68,31 @@ jobs:
3968
NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
4069
NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
4170

71+
- name: Register preview deployment
72+
if: github.event_name == 'pull_request'
73+
uses: actions/github-script@v7
74+
with:
75+
script: |
76+
const url = '${{ steps.preview.outputs.deploy_url }}';
77+
const deployment = await github.rest.repos.createDeployment({
78+
owner: context.repo.owner,
79+
repo: context.repo.repo,
80+
ref: context.payload.pull_request.head.sha,
81+
environment: 'preview',
82+
auto_merge: false,
83+
required_contexts: [],
84+
transient_environment: true,
85+
production_environment: false,
86+
});
87+
await github.rest.repos.createDeploymentStatus({
88+
owner: context.repo.owner,
89+
repo: context.repo.repo,
90+
deployment_id: deployment.data.id,
91+
state: 'success',
92+
environment_url: url,
93+
log_url: `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
94+
});
95+
4296
- name: Update PR description with preview URL
4397
if: github.event_name == 'pull_request'
4498
uses: actions/github-script@v7
@@ -57,13 +111,11 @@ jobs:
57111
let body = pr.body || '';
58112
59113
if (body.includes(marker)) {
60-
// Replace existing preview block
61114
body = body.replace(
62115
new RegExp(`${marker}[\\s\\S]*$`),
63116
previewBlock
64117
);
65118
} else {
66-
// Append preview block
67119
body = body.trimEnd() + '\n\n' + previewBlock;
68120
}
69121

.gitleaks.toml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
title = "Gitleaks Config"
2+
3+
[[rules]]
4+
id = "github-pat"
5+
description = "GitHub Personal Access Token"
6+
regex = '''ghp_[a-zA-Z0-9]{36,}'''
7+
8+
[[rules]]
9+
id = "generic-api-key"
10+
description = "Generic API Key"
11+
regex = '''(?i)(api[_-]?key|apikey|secret[_-]?key)\s*[:=]\s*['"]?([a-zA-Z0-9_\-]{20,})['"]?'''
12+
13+
[[rules]]
14+
id = "aws-access-key"
15+
description = "AWS Access Key ID"
16+
regex = '''AKIA[0-9A-Z]{16}'''
17+
18+
[[rules]]
19+
id = "stripe-key"
20+
description = "Stripe API Key"
21+
regex = '''sk_(live|test)_[a-zA-Z0-9]{24,}'''
22+
23+
[allowlist]
24+
paths = ['''.git/''', '''node_modules/''', '''vendor/''', '''\.env\.example''']

0 commit comments

Comments
 (0)