40 lines
1.3 KiB
YAML
40 lines
1.3 KiB
YAML
# .forgejo/workflows/gitleaks.yml
|
|
#
|
|
# Sulkta canonical gitleaks workflow. Drop a copy into every public repo at
|
|
# `.forgejo/workflows/gitleaks.yml` after the Forgejo act_runner is registered
|
|
# (task #295).
|
|
#
|
|
# Pairs with the pre-receive hook installed on every bare repo — that one is
|
|
# the strict enforcement layer (rejects the push); this one provides the
|
|
# per-PR red ✗ that branch-protection rules can require before merge.
|
|
#
|
|
# Layer 1 (this workflow): visible per-PR status, can be a required check.
|
|
# Layer 2 (pre-receive hook): strict enforcement at the server.
|
|
# Layer 3 (johnny5 cron sweep): nightly full-history sweep across all repos.
|
|
|
|
name: gitleaks
|
|
|
|
on:
|
|
push:
|
|
pull_request:
|
|
|
|
jobs:
|
|
scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
# Full history — gitleaks needs depth to scan a commit range.
|
|
fetch-depth: 0
|
|
|
|
- name: install gitleaks
|
|
run: |
|
|
curl -sSL -o gl.tar.gz \
|
|
https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz
|
|
tar xzf gl.tar.gz gitleaks
|
|
chmod +x gitleaks
|
|
./gitleaks version
|
|
|
|
- name: scan
|
|
run: |
|
|
./gitleaks detect --source . --no-banner --redact --verbose
|