straw/.forgejo/workflows/gitleaks.yml
Cobb e34fbd457b
Some checks failed
build-apk / build-and-publish (push) Successful in 8m20s
gitleaks / scan (push) Failing after 1s
ci: restore Forgejo build+publish + gitleaks workflows (infra-clean)
The OSS public-scrub removed .forgejo/workflows/ wholesale — it only needed
to parameterize the two infra literals in the publish step. Restored both
workflows; the publish target (root@host) and its SSH host-key now come from
Forgejo repo secrets (STRAW_PUBLISH_TARGET / STRAW_LUCY_HOSTKEY) instead of
literals, so the public workflow carries zero infra topology. Everything else
was already clean: signing keystore + deploy key are secrets, the actual
publish is a forced-command on the host (not in this YAML), and the runner
label / build image / signer fingerprint are non-sensitive.

Restores push-triggered CI: build assembleDebug in the straw-build image,
verify signer bb9ca96b, publish to fdroid. This push also builds vc=91.
2026-07-04 12:29:06 -07:00

40 lines
1.3 KiB
YAML

# .forgejo/workflows/gitleaks.yml
#
# Sulkta canonical gitleaks workflow. Drop a copy into every public repo at
# `.forgejo/workflows/gitleaks.yml` after the Forgejo act_runner is registered
# (task #295).
#
# Pairs with the pre-receive hook installed on every bare repo — that one is
# the strict enforcement layer (rejects the push); this one provides the
# per-PR red ✗ that branch-protection rules can require before merge.
#
# Layer 1 (this workflow): visible per-PR status, can be a required check.
# Layer 2 (pre-receive hook): strict enforcement at the server.
# Layer 3 (johnny5 cron sweep): nightly full-history sweep across all repos.
name: gitleaks
on:
push:
pull_request:
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
# Full history — gitleaks needs depth to scan a commit range.
fetch-depth: 0
- name: install gitleaks
run: |
curl -sSL -o gl.tar.gz \
https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz
tar xzf gl.tar.gz gitleaks
chmod +x gitleaks
./gitleaks version
- name: scan
run: |
./gitleaks detect --source . --no-banner --redact --verbose