Merge pull request vavkamil#58 from vavkamil/vavkamil/test-ci

chore(ci): Update Stargazers check

Author: vavkamil

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,16 @@
+# Description
+
+Please explain the changes you made here:
+
+- foo
+
+## Notes
+
+Please add screenshots or some additional context if you believe it is needed.
+
+## Checklist
+
+- [ ] Only GitHub links to open-source repos are added
+- [ ] No duplicate links are added
+- [ ] All repos exist and are public
+- [ ] All repos have at least 50 stars

.github/dependabot.yml

@@ -0,0 +1,25 @@
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+      time: "09:00"
+      timezone: "Europe/Prague"
+    assignees:
+      - "vavkamil"
+    cooldown:
+      default-days: 7
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+      time: "09:00"
+      timezone: "Europe/Prague"
+    assignees:
+      - "vavkamil"
+    cooldown:
+      default-days: 7

.github/workflows/security-zizmor.yml

@@ -0,0 +1,39 @@
+# https://github.com/woodruffw/zizmor
+
+name: Security
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+
+permissions: {}
+
+jobs:
+  zizmor:
+    # name: zizmor via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/[email protected]
+        with:
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.10.4'
+
+      - name: Install Zizmor
+        run: |
+          python -m pip install --upgrade pip
+          pip install $(grep '^zizmor==' requirements.txt)
+
+      - name: Run Zizmor
+        run: zizmor .github/workflows

.github/workflows/stargazers.yml

@@ -17,37 +17,120 @@ jobs:
       - name: Checkout repository
         uses: actions/[email protected]
         with:
-          fetch-depth: 0  # we need history for diff
+          fetch-depth: 0
+          persist-credentials: false
 
       - name: Fetch base branch
         run: |
-          git fetch origin ${{ github.base_ref }} --depth=1
+          git fetch origin main --depth=1
 
-      - name: Extract newly added GitHub repo links
+      - name: Extract newly added URLs and GitHub repo links
         run: |
           # Show diff between base branch and PR HEAD, only for README
-          git diff --unified=0 origin/${{ github.base_ref }}...HEAD -- README.md > diff.txt
+          git diff --unified=0 origin/main...HEAD -- README.md > diff.txt
 
-          # Extract only added (+) lines that contain github.com, strip the leading '+'
-          # Then use a simple regex-ish sed to grab the URL
-          sed -n 's/^+.*\(https:\/\/github.com\/[^ )]*\).*/\1/p' diff.txt \
-            | sort -u > new_links.txt
+          # Extract ALL added https:// URLs from added (+) lines
+          sed -n 's/^+.*\(https:\/\/[^ )]*\).*/\1/p' diff.txt \
+            | sort -u > added_urls.txt || true
+          touch added_urls.txt
 
-          echo "New links found:"
+          # Extract only GitHub URLs from the added URLs
+          grep '^https://github\.com/' added_urls.txt > new_links.txt || true
+          touch new_links.txt
+
+          echo "All added URLs:"
+          cat added_urls.txt || echo "None"
+
+          echo "New GitHub links:"
           cat new_links.txt || echo "None"
 
-      - name: Check stars for new links (unauthenticated)
+          # Extract ALL GitHub URLs from the current README (after PR changes)
+          grep -o 'https://github.com/[^ )]*' README.md > all_github_urls.txt || true
+          touch all_github_urls.txt
+
+          # Normalize all GitHub URLs in README to owner/repo
+          sed -E 's#https://github.com/([^/]+/[^/]+).*#\1#' all_github_urls.txt \
+            | sed '/^$/d' \
+            | sort > all_repos.txt || true
+          touch all_repos.txt
+
+          # Normalize only newly added GitHub URLs to owner/repo
+          sed -E 's#https://github.com/([^/]+/[^/]+).*#\1#' new_links.txt \
+            | sed '/^$/d' \
+            | sort -u > new_repos.txt || true
+          touch new_repos.txt
+
+          echo "All GitHub repositories in README (normalized):"
+          cat all_repos.txt || echo "None"
+
+          echo "New GitHub repositories (normalized):"
+          cat new_repos.txt || echo "None"
+
+      - name: Warn on non-GitHub links
+        run: |
+          # Any URLs not starting with https://github.com/
+          grep -v '^https://github\.com/' added_urls.txt > non_github.txt || true
+          touch non_github.txt
+
+          if [ -s non_github.txt ]; then
+            echo "::warning ::Detected added URLs that are NOT GitHub repository links:"
+            cat non_github.txt
+          else
+            echo "No non-GitHub URLs detected."
+          fi
+
+      - name: Detect duplicate GitHub repositories
+        run: |
+          # Prepare file for duplicate repos
+          : > duplicates.txt
+
+          # For each newly added repo, check how many times it appears in all_repos.txt
+          while read -r repo; do
+            [ -z "$repo" ] && continue
+            count=$(grep -c "^$repo$" all_repos.txt || true)
+            if [ "$count" -gt 1 ]; then
+              echo "$repo" >> duplicates.txt
+            fi
+          done < new_repos.txt
+
+          if [ -s duplicates.txt ]; then
+            echo "::warning ::The following GitHub repositories are duplicated in README.md:"
+            sort -u duplicates.txt
+          else
+            echo "No duplicate GitHub repositories detected."
+          fi
+
+      - name: Check stars for new GitHub links (unauthenticated)
         run: |
           set -euo pipefail
 
+          exit_code=0
+
+          # If there were any non-GitHub URLs, treat that as an error condition
+          if [ -s non_github.txt ]; then
+            echo "::error ::Non-GitHub URLs were added in README.md; only GitHub repositories are allowed."
+            cat non_github.txt
+            exit_code=1
+          fi
+
+          # If there were duplicate GitHub repos, treat that as an error condition
+          if [ -s duplicates.txt ]; then
+            echo "::error ::Duplicate GitHub repositories detected in README.md:"
+            sort -u duplicates.txt
+            exit_code=1
+          fi
+
+          # Now check each new GitHub repository link
           while read -r url; do
             [ -z "$url" ] && continue
 
+            # Normalize to owner/repo from the URL
             repo="$(printf '%s\n' "$url" | sed -E 's#https://github.com/([^/]+/[^/]+).*#\1#')"
             [ -z "$repo" ] && continue
 
             echo "Checking $repo"
 
+            # Unauthenticated GitHub API call
             resp=$(curl -s "https://api.github.com/repos/$repo")
             msg=$(echo "$resp" | jq -r '.message // empty')
 
@@ -66,4 +149,4 @@ jobs:
             fi
           done < new_links.txt
 
-          exit ${exit_code:-0}
+          exit "$exit_code"

README.md

@@ -418,6 +418,7 @@
 - [cariddi](https://github.com/edoardottt/cariddi) - Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more...
 - [SecretFinder](https://github.com/m4ll0k/SecretFinder) - A python script for finding sensitive data (apikeys, accesstoken,jwt,..) and search anything on javascript files.
 - [js-snitch](https://github.com/vavkamil/js-snitch) - Scans remote JavaScript files with Trufflehog + Semgrep to detect leaked secrets.
+- [keyhacks](https://github.com/streaak/keyhacks) - KeyHacks shows methods to validate different API keys found on a Bug Bounty Program or a pentest.
 
 
 ### Git
@@ -428,6 +429,7 @@
 - [GitHunter](https://github.com/digininja/GitHunter) - A tool for searching a Git repository for interesting content
 - [dvcs-ripper](https://github.com/kost/dvcs-ripper) - Rip web accessible (distributed) version control systems: SVN/GIT/HG...
 - [Gato (Github Attack TOolkit)](https://github.com/praetorian-inc/gato) - GitHub Self-Hosted Runner Enumeration and Attack Tool 
+- [zizmor](https://github.com/zizmorcore/zizmor) - Static analysis tool for GitHub Actions 
 
 ### Buckets
 

requirements.txt

@@ -0,0 +1 @@
+zizmor==1.16.1