.github/workflows/infisical-secrets-check.yml
name: Infisical secrets check
on:
workflow_dispatch:
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
secrets-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set Infisical package source
shell: bash
run: curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash
- name: Install Infisical
shell: bash
run: |
sudo apt-get update && sudo apt-get install -y infisical
- name: Run scan
shell: bash
run: infisical scan --redact -f csv -r secrets-result.csv 2>&1 | tee >(sed -r 's/\x1b\[[0-9;]*m//g' > secrets-result.log)
- name: Read secrets-result.log
uses: guibranco/github-file-reader-action-v2@v2.1.535
if: always()
id: log
with:
path: secrets-result.log
- name: Read secrets-result.log
uses: guibranco/github-file-reader-action-v2@v2.1.535
if: failure()
id: report
with:
path: secrets-result.csv
- name: Update PR with comment
uses: mshick/add-pr-comment@v2
if: always()
with:
refresh-message-position: true
message-id: 'secrets-result'
message: |
**Infisical secrets check:** :white_check_mark: No secrets leaked!
**Scan results:**
```
${{ steps.log.outputs.contents }}
```
message-failure: |
**Infisical secrets check:** :rotating_light: Secrets leaked!
**Scan results:**
```
${{ steps.log.outputs.contents }}
```
**Scan report:**
```
${{ steps.report.outputs.contents }}
```
message-cancelled: |
**Infisical secrets check:** :o: Secrets check cancelled!