Replace action/upload-artifact with a more secure alternative

ssbarnea · ssbarnea · commit 158575f71ae5 · 2025-06-05T12:55:11.000+01:00
Related: AAP-46204
diff --git a/.github/workflows/tox.yml b/.github/workflows/tox.yml
@@ -200,8 +200,8 @@ jobs:
         if: ${{ inputs.run_post }}
         run: ${{ inputs.run_post }}
 
-      - name: Archive logs and coverage data
-        uses: actions/upload-artifact@v4
+      - name: Archive logs and coverage data (secured)
+        uses: coactions/upload-artifact@fix/multi-folders
         with:
           name: logs-${{ matrix.name }}.zip
           include-hidden-files: true
@@ -225,6 +225,7 @@ jobs:
             # shellcheck disable=SC2016
             echo -n '::error file=git-status::'
             printf '### Failed as git reported modified and/or untracked files\n```\n%s\n```\n' "$(git status -s)" | tee -a "$GITHUB_STEP_SUMMARY"
+            git diff
             exit 99
           fi
   # https://github.com/actions/toolkit/issues/193
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -36,3 +36,11 @@ repos:
       - id: ansible-lint
         language_version: "3.12"
         args: [--fix]
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.27.0
+    hooks:
+      - id: gitleaks
+        name: Look for leaked decrets in all files, including build logs
+        entry: gitleaks dir -v --redact=100 --no-banner --max-archive-depth=2 .
+        pass_filenames: false
+        always_run: true
diff --git a/tox.ini b/tox.ini
@@ -63,8 +63,6 @@ uv_seed = true
 [testenv:docs]
 description = Build docs
 extras = docs
-passenv =
-    *
 setenv =
   # see https://github.com/tox-dev/tox/issues/2092#issuecomment-2538729079
   # see https://github.com/Kozea/CairoSVG/issues/392#issuecomment-2538707712
