Skip to content

Sync Secret Scanning data #79

Sync Secret Scanning data

Sync Secret Scanning data #79

name: Sync Secret Scanning data
# **What it does**: This updates the data used by the secret scanning patterns page.
# **Why we have it**: To automate updates to the secret scanning pattern data in our public-facing documentation.
# **Who does it impact**: Docs engineering, content writers.
on:
workflow_dispatch:
schedule:
- cron: '20 16 * * *' # Run every day at 16:20 UTC / 8:22 PST
permissions:
contents: write
pull-requests: write
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
cancel-in-progress: true
jobs:
update-secret-scanning-file:
if: github.repository == 'github/docs-internal'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: ./.github/actions/node-npm-setup
- name: Sync secret scanning data
id: secret-scanning-sync
env:
# need to use a token from a user with access to
# github/token-scanning-service for this step
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
run: |
npm run sync-secret-scanning
- name: Create a pull request
env:
# Needed for gh
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
run: |
# If nothing to commit, exit now. It's fine.
changes=$(git diff --name-only | wc -l)
untracked=$(git status --untracked-files --short | wc -l)
if [[ $changes -eq 0 ]] && [[ $untracked -eq 0 ]]; then
echo "There are no changes to commit. Exiting..."
exit 0
fi
git config --global user.name "docs-bot"
git config --global user.email "[email protected]"
branchname=sync-secret-scanning-${{ steps.secret-scanning-sync.outputs.sha }}
remotesha=$(git ls-remote --heads origin $branchname)
if [ -n "$remotesha" ]; then
# output is not empty, it means the remote branch exists
echo "Branch $branchname already exists in 'github/docs-internal'. Exiting..."
exit 0
fi
git checkout -b $branchname
git add .
git commit -m "Add updated secret scanning data"
git push origin $branchname
echo "Creating pull request..."
gh pr create \
--title "Sync secret scanning data" \
--body '👋 humans. This PR updates the secret scanning data with the latest changes from github/token-scanning-service.
/cc @github/docs-content-security-products
If CI does not pass or other problems arise, contact #docs-engineering on Slack.' \
--repo github/docs-internal \
--label secret-scanning-pipeline,'skip FR board',ready-for-doc-review
- uses: ./.github/actions/slack-alert
if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
with:
slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}