Skip to content

Commit

Permalink
Simplify secrets scanning workflow - get rid of the "skip duplicate r…
Browse files Browse the repository at this point in the history
…un" check and remove unused / undefined input parameter. Also add additional "shallow repo" check / safeguard."
  • Loading branch information
tomaz-s1 committed Jul 6, 2023
1 parent a3d189f commit ea6a226
Showing 1 changed file with 11 additions and 18 deletions.
29 changes: 11 additions & 18 deletions .github/workflows/secrets-scanner.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,35 +10,29 @@ on:
- cron: '0 4 * * *'

permissions:
actions: write # Needed for skip-duplicate-jobs job
contents: read

jobs:
# Special job which automatically cancels old runs for the same branch, prevents runs for the
# same file set which has already passed, etc.
pre_job:
name: Skip Duplicate Jobs Pre Job
runs-on: ubuntu-latest
outputs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
steps:
- id: skip_check
uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281 # v5.3.0
with:
cancel_others: 'true'
github_token: ${{ github.token }}

TruffleHog:
runs-on: ubuntu-latest
needs: pre_job
if: ${{ needs.pre_job.outputs.should_skip != 'true' || github.ref_name == 'master' }}

steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0

# Special check which ensures that the clone performed above is not shallow. We need the
# complete git history for scanning to work correctly in all the situations. In some cases
# if a shallow clone is used, trufflehog won't not fail with an error, but it would simply
# not detect any files and that could be dangerous.
- name: Shallow repo check
run: |
if git rev-parse --is-shallow-repository | grep -q "true"; then
echo "Encountered a shallow repository, trufflehog may not work as expected!"
exit 1
fi
- name: scan-pr
uses: trufflesecurity/trufflehog@main
if: ${{ github.event_name == 'pull_request' }}
Expand All @@ -47,7 +41,6 @@ jobs:
base: ${{ github.event.repository.default_branch }}
head: HEAD
extra_args: --debug --only-verified
--exclude-paths=${{ inputs.exclude-paths }}

- name: scan-push
uses: trufflesecurity/trufflehog@main
Expand Down

0 comments on commit ea6a226

Please sign in to comment.