GuilhermeStracini/POC-dotnet-CQRS

View on GitHub
.github/workflows/infisical-secrets-check.yml

Summary

Maintainability
Test Coverage
name: Infisical secrets check

on:
  workflow_dispatch:
  pull_request:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  
  secrets-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:

      - name: Checkout repo
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set Infisical package source
        shell: bash
        run: curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash
      
      - name: Install tools
        shell: bash
        run: | 
          sudo apt-get update && sudo apt-get install -y infisical
          pip install csvkit
          npm install -g csv-to-markdown-table
      
      - name: Run scan
        shell: bash
        run: infisical scan --redact -f csv -r secrets-result-raw.csv 2>&1 | tee >(sed -r 's/\x1b\[[0-9;]*m//g' >secrets-result.log)

      - name: Generate report
        shell: bash
        if: failure()
        run: |
          if [[ -s secrets-result-raw.csv ]]; then
            csvformat -M $'\r' secrets-result-raw.csv | sed -e ':a' -e 'N;$!ba' -e 's/\n/\\n/g' | tr '\r' '\n' | head -n 11 >secrets-result.csv
            csv-to-markdown-table --delim , --headers <secrets-result.csv >secrets-result.md
          fi

      - name: Upload artifacts secrets-result.log
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: report-log
          path: secrets-result.log

      - name: Upload artifacts secrets-result.csv
        uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: report-csv
          path: secrets-result.csv

      - name: Upload artifacts secrets-result.md
        uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: report-md
          path: secrets-result.md

      - name: Read secrets-result.log
        uses: guibranco/github-file-reader-action-v2@v2.2.709
        if: always()
        id: log
        with:
         path: secrets-result.log

      - name: Read secrets-result.md
        uses: guibranco/github-file-reader-action-v2@v2.2.709
        if: failure()
        id: report
        with:
         path: secrets-result.md

      - name: Update PR with comment
        uses: mshick/add-pr-comment@v2
        if: always()
        with:
          refresh-message-position: true
          message-id: 'secrets-result'
          message: |
            **Infisical secrets check:** :white_check_mark: No secrets leaked!

            **Scan results:**
            ```
            ${{ steps.log.outputs.contents }}
            ```
          message-failure: |
            **Infisical secrets check:** :rotating_light: Secrets leaked!     
            
            **Scan results:**
            ```
            ${{ steps.log.outputs.contents }}
            ```

            <details>
              <summary>🔎 Detected secrets in your GIT history</summary>
            
              ${{ steps.report.outputs.contents }}
            
            </details>
          message-cancelled: |
            **Infisical secrets check:** :o: Secrets check cancelled!