ci: PLT-770: update gitleks

farioas · farioas · commit ac17bc849f3b · 2025-05-30T10:54:26.000+01:00
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -0,0 +1,84 @@
+name: "Gitleaks"
+
+on:
+  push:
+    branches:
+      - main
+    tags-ignore:
+      - '**'
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+    branches:
+      - main
+      - 'release/**'
+
+env:
+  ACTIONS_STEP_DEBUG: '${{ secrets.ACTIONS_STEP_DEBUG }}'
+
+jobs:
+  gitleaks:
+    name: "Gitleaks"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: hmarr/debug-action@v3.0.0
+
+      - name: install
+        shell: bash
+        run: |
+          set -euo pipefail
+          arch="$(uname)_$(uname -m)"
+          platform=$(echo $arch | tr '[:upper:]' '[:lower:]' )
+          echo "PLATFORM=$platform" >> $GITHUB_ENV
+          echo "GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')" >> $GITHUB_ENV
+
+      - name: Cache gitleaks archive
+        id: cache_gitleaks
+        uses: actions/cache@v4
+        with:
+          path: /usr/local/bin/gitleaks
+          key: gitleaks-${{ env.PLATFORM }}-${{ env.GITLEAKS_VERSION }}
+
+      - name: Download and configure gitleaks
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [[ "${{ steps.cache_gitleaks.outputs.cache-hit }}" != "true" ]]; then
+            DOWNLOAD_URL="https://github.com/gitleaks/gitleaks/releases/download/v${{ env.GITLEAKS_VERSION }}/gitleaks_${{ env.GITLEAKS_VERSION }}_linux_x64.tar.gz"
+            echo "Download Gitleaks ${{ env.GITLEAKS_VERSION }} for ${{ env.PLATFORM }} from ${DOWNLOAD_URL}"
+            curl -fsSL "$DOWNLOAD_URL" | tar xzf - -C /usr/local/bin
+          fi
+          chmod +x /usr/local/bin/gitleaks
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: 'recursive'
+          token: ${{ secrets.GIT_PAT }}
+          fetch-depth: 0
+
+      - name: Run gitleaks
+        run: |
+          set -euo pipefail ${ACTIONS_STEP_DEBUG:+-x}
+
+          gitleaks \
+            detect \
+            --source="." \
+            --redact \
+            -v \
+            --exit-code=2 \
+            --report-format=sarif \
+            --report-path=results.sarif \
+            --log-level=debug \
+            --log-opts='${{ github.event.pull_request.base.sha || github.event.before }}..${{ github.event.pull_request.head.sha || github.event.after }}'
+
+      - name: Upload test results
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: GitLeaks results
+          path: results.sarif
+          retention-days: 14
