Replace action/upload-artifact with a more secure alternative

ssbarnea · ssbarnea · commit 525247167b01 · 2025-06-05T12:22:33.000+01:00
Related: AAP-46204
diff --git a/.github/workflows/tox.yml b/.github/workflows/tox.yml
@@ -175,8 +175,9 @@ jobs:
               echo "$SCRIPTS_DIR" >> $GITHUB_PATH
               echo "Added $SCRIPTS_DIR to PATH to avoid further issues."
           fi
-          python3 -m pip install --disable-pip-version-check --upgrade --user --break-system-packages pip uv 'tox>=4.23.2' 'tox-uv>=1.16.0'
+          python3 -m pip install --disable-pip-version-check --upgrade --user --break-system-packages pip uv 'tox>=4.23.2' 'tox-uv>=1.16.0' tox-extra
           which -a uv pip tox
+          python3 -m pip install git+https://github.com/tox-dev/tox.git@fix/3542
           echo "uv tool update-shell"
           tox --version
           echo "Log installed dists"
@@ -200,8 +201,8 @@ jobs:
         if: ${{ inputs.run_post }}
         run: ${{ inputs.run_post }}
 
-      - name: Archive logs and coverage data
-        uses: actions/upload-artifact@v4
+      - name: Archive logs and coverage data (secured)
+        uses: coactions/upload-artifact@fix/multi-folders
         with:
           name: logs-${{ matrix.name }}.zip
           include-hidden-files: true
@@ -225,6 +226,7 @@ jobs:
             # shellcheck disable=SC2016
             echo -n '::error file=git-status::'
             printf '### Failed as git reported modified and/or untracked files\n```\n%s\n```\n' "$(git status -s)" | tee -a "$GITHUB_STEP_SUMMARY"
+            git diff
             exit 99
           fi
   # https://github.com/actions/toolkit/issues/193
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -36,3 +36,11 @@ repos:
       - id: ansible-lint
         language_version: "3.12"
         args: [--fix]
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.27.0
+    hooks:
+      - id: gitleaks
+        name: Look for leaked decrets in all files, including build logs
+        entry: gitleaks dir -v --redact=100 --no-banner --max-archive-depth=2 .
+        pass_filenames: false
+        always_run: true
diff --git a/tox.ini b/tox.ini
@@ -63,8 +63,6 @@ uv_seed = true
 [testenv:docs]
 description = Build docs
 extras = docs
-passenv =
-    *
 setenv =
   # see https://github.com/tox-dev/tox/issues/2092#issuecomment-2538729079
   # see https://github.com/Kozea/CairoSVG/issues/392#issuecomment-2538707712
