enhancement: flexible checksums #78
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Git Secrets Scan | |
| on: | |
| pull_request: | |
| branches: | |
| - master | |
| jobs: | |
| git-secrets-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Git Secrets | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y git | |
| git clone https://github.com/awslabs/git-secrets.git | |
| cd git-secrets | |
| sudo make install | |
| cd .. | |
| git secrets --install | |
| git secrets --register-aws | |
| - name: Fetch previous commit | |
| run: | | |
| git fetch origin +refs/heads/${{ github.base_ref }}:refs/remotes/origin/${{ github.base_ref }} | |
| export DIFF=$(git diff origin/${{ github.base_ref }} HEAD) | |
| echo "${DIFF}" > diff.txt | |
| - name: Filter out skipped patterns | |
| run: | | |
| skippedPrefixes=( | |
| 'src/data/s3control/2018-08-20/endpoint-tests-1.json.php' | |
| 'src/data/dynamodb/2011-12-05/endpoint-tests-1.json.php' | |
| 'src/data/dynamodb/2012-08-10/endpoint-tests-1.json.php' | |
| 'tests/DynamoDb/MarshalerTest.php' | |
| '- ' | |
| '\[ERROR\]' | |
| '\\n' | |
| 'PHP_EOL' | |
| 'Possible' | |
| '/usr/local/bin/git-secrets:' | |
| 'tests/S3Control' | |
| 'tests/Arn' | |
| ) | |
| skippedRegexes=( | |
| '/examples-/' | |
| '/UpdateDataSourceRequest\$Credentials/' | |
| '/"AccountId": "123456789012"/' | |
| '/"AccountId": "999999999999"/' | |
| '/"AccountId": "012345678901"/' | |
| '/"AWS::Auth::AccountId": "012345678901"/' | |
| '/123456789012/' | |
| '/999999999999/' | |
| '/"Username": "username"/' | |
| '/"Password": "password"/' | |
| '/RegisterUserResponse\$UserInvitationUrl/' | |
| ) | |
| # Filter out lines matching skipped prefixes | |
| for prefix in "${skippedPrefixes[@]}"; do | |
| sed -i "\|${prefix}|d" diff.txt | |
| done | |
| # Filter out lines matching skipped regexes | |
| for regex in "${skippedRegexes[@]}"; do | |
| sed -i -E "${regex}d" diff.txt | |
| done | |
| - name: Run Git Secrets scan on filtered diff | |
| run: | | |
| if [ -s diff.txt ]; then | |
| cat diff.txt | git secrets --scan - 2>&1 | |
| status=$? | |
| if [ $status -ne 0 ]; then | |
| exit $status | |
| fi | |
| else | |
| echo "No differences found." | |
| fi |