|
1 | 1 | name: Secret and Artifact Leakage Test |
2 | 2 |
|
3 | 3 | on: |
4 | | - workflow_dispatch: # 手动触发 |
| 4 | + workflow_dispatch: |
5 | 5 |
|
6 | 6 | jobs: |
7 | | - test: |
| 7 | + test-cache: |
8 | 8 | runs-on: self-hosted |
9 | 9 | steps: |
10 | | - # 1. 检出代码仓库 |
11 | 10 | - name: Checkout Repository |
12 | 11 | uses: actions/checkout@v2 |
13 | 12 |
|
14 | | - # 2. 缓存 Node.js 依赖(如果有 package-lock.json) |
15 | | - - name: Cache Node modules |
| 13 | + - name: Cache pip packages |
16 | 14 | uses: actions/cache@v4 |
17 | 15 | with: |
18 | | - path: node_modules |
19 | | - key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }} |
| 16 | + path: .pip_cache |
| 17 | + key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }} |
20 | 18 |
|
21 | | - # 3. 设置 Node.js 环境 |
22 | | - - name: Setup Node.js |
23 | | - uses: actions/setup-node@v2 |
24 | | - with: |
25 | | - node-version: '14' |
26 | | - |
27 | | - # 4. 安装 npm 依赖(如果 package.json 存在) |
28 | | - - name: Install npm dependencies |
29 | | - run: | |
30 | | - if [ -f package.json ]; then |
31 | | - npm install |
32 | | - else |
33 | | - echo "No package.json found. Skipping npm install." |
34 | | - fi |
35 | | -
|
36 | | - # 5. 安全使用 Secret:通过环境变量引用 |
37 | | - - name: Safe Secret Usage (Env Variable) |
| 19 | + - name: Install Python Dependencies |
38 | 20 | env: |
39 | | - DB_PASSWORD: ${{ secrets.DB_PASSWORD }} |
40 | | - run: | |
41 | | - echo "Safe usage: DB_PASSWORD is $DB_PASSWORD" |
42 | | -
|
43 | | - # 6. 不安全使用 Secret:直接作为参数传递 |
44 | | - - name: Unsafe Secret Usage (Inline) |
45 | | - run: echo "Unsafe usage-- DB_PASSWORD is ${{ secrets.DB_PASSWORD }}" |
46 | | - |
47 | | - # 7. 测试 Secret 掩码策略(新增部分)################################ |
48 | | - - name: Test Secret Masking - Env Variable (TEST) |
49 | | - env: |
50 | | - TEST: ${{ secrets.TEST }} |
51 | | - run: | |
52 | | - echo "TEST 的值(环境变量): $TEST" |
53 | | -
|
54 | | - - name: Test Secret Masking - Concatenated (DB_PASSWORD + 'b') |
55 | | - run: | |
56 | | - echo "DB_PASSWORD + 'b': ${{ secrets.DB_PASSWORD }}b" |
57 | | -
|
58 | | - - name: Test Secret Masking - Base64 Encoded |
59 | | - run: | |
60 | | - echo "Base64(DB_PASSWORD): $(echo -n ${{ secrets.DB_PASSWORD }} | base64 -w0)" |
61 | | -
|
62 | | - # 8. 使用第三方 Action 示例(新增)################################ |
63 | | - - name: HTTP Request Example |
64 | | - uses: fjogeleit/http-request-action@v1 |
65 | | - with: |
66 | | - url: 'https://httpbin.org/get' |
67 | | - method: 'GET' |
68 | | - |
69 | | - # 9. 将 Secret 写入文件(原步骤 7) |
70 | | - - name: Write Secret to File |
71 | | - run: echo "Secret in file-- ${{ secrets.DB_PASSWORD }}" > secret.txt |
72 | | - |
73 | | - # 10. 上传包含 Secret 的文件作为 Artifact(原步骤 8) |
74 | | - - name: Upload Secret File Artifact |
75 | | - uses: actions/upload-artifact@v4 |
76 | | - with: |
77 | | - name: secret-artifact |
78 | | - path: secret.txt |
79 | | - |
80 | | - # 11. Docker 构建(原步骤 12) |
81 | | - - name: Build Docker Image |
| 21 | + PIP_CACHE_DIR: .pip_cache |
82 | 22 | run: | |
83 | | - if [ -f Dockerfile ]; then |
84 | | - docker build -t secret-tester:latest . |
| 23 | + if [ -f requirements.txt ]; then |
| 24 | + pip install --cache-dir .pip_cache -r requirements.txt |
85 | 25 | else |
86 | | - echo "No Dockerfile found. Skipping Docker build." |
| 26 | + echo "No requirements.txt found. Skipping pip install." |
87 | 27 | fi |
88 | | -
|
89 | | - # 12. 将构建的 Docker 镜像保存为 tar 包(原步骤 13) |
90 | | - - name: Save Docker Image to Tarball |
91 | | - run: | |
92 | | - if docker image inspect secret-tester:latest > /dev/null 2>&1; then |
93 | | - docker save secret-tester:latest -o secret-tester.tar |
94 | | - else |
95 | | - echo "Docker image not built. Skipping save." |
96 | | - fi |
97 | | -
|
98 | | - # 13. 上传 Docker 镜像 tar 包作为 Artifact(原步骤 14) |
99 | | - - name: Upload Docker Image Artifact |
100 | | - uses: actions/upload-artifact@v4 |
101 | | - with: |
102 | | - name: docker-image-artifact |
103 | | - path: secret-tester.tar |
104 | | - |
105 | | - # 14. 推送 Docker 镜像到 GitHub Container Registry(原步骤 15) |
106 | | - - name: Push Docker Image to GHCR |
107 | | - env: |
108 | | - CR_PAT: ${{ secrets.CR_PAT }} |
109 | | - run: | |
110 | | - echo $CR_PAT | docker login ghcr.io -u ${{ github.actor }} --password-stdin |
111 | | - docker images |
112 | | - docker tag secret-tester:latest ghcr.io/${{ github.repository_owner }}/secret-tester:latest |
113 | | - docker images |
114 | | - docker push ghcr.io/${{ github.repository_owner }}/secret-tester:latest |
0 commit comments