secretlint #1
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PR単位で差分があるファイルに対してSecretlint(シークレットスキャンツール)を実行し、 | |
| # アクセストークンなど秘匿すべき値をPRコメントで指摘するワークフローです | |
| # 詳細は以下のドキュメントをご参照ください | |
| # https://andpad-dev.esa.io/posts/8984 | |
| name: secretlint | |
| on: | |
| pull_request | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| secretlint: | |
| name: secretlint | |
| runs-on: ubuntu-latest | |
| # Skip any PR created by dependabot to avoid permission issues | |
| if: (github.actor != 'dependabot[bot]') | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| with: | |
| fetch-depth: 0 | |
| - uses: reviewdog/action-setup@8e48baae926e97848f0863ae248f3b08e089c81f # v1.0.5 | |
| - id: changed-files | |
| uses: tj-actions/changed-files@54849deb963ca9f24185fb5de2965e002d066e6b # v37.0.5 | |
| - name: Run secretlint | |
| env: | |
| REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| docker run \ | |
| -v $(pwd):/workdir \ | |
| -w /workdir \ | |
| secretlint/secretlint:v7.0.2@sha256:f0b1a4944a6a0f3d6a494c063b807ff6febc762f6fdf52466b2b8e3b278966d2 \ | |
| secretlint --format checkstyle ${{ steps.changed-files.outputs.all_changed_files }} \ | |
| | sed 's#="/workdir/#="#g' \ | |
| | reviewdog -f=checkstyle -reporter=github-pr-review -diff="git diff FETCH_HEAD" |