-
Notifications
You must be signed in to change notification settings - Fork 27
174 lines (151 loc) · 5.54 KB
/
main.yml
File metadata and controls
174 lines (151 loc) · 5.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
name: Secret Scanning & Release
on:
push:
branches:
- main
pull_request:
branches:
- main
permissions:
contents: write # needed for tags + releases
id-token: write
issues: write
pull-requests: write
jobs:
trufflehog:
runs-on: ubuntu-latest
env:
TRUFFLEHOG_VERSION: v3.76.0
defaults:
run:
shell: bash
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: TruffleHog OSS
id: trufflehog
uses: trufflesecurity/trufflehog@v3.76.0
continue-on-error: true
with:
path: ./
base: ${{ github.event.before }}
head: ${{ github.event.after || 'HEAD' }}
extra_args: --debug --only-verified
# --- Notifications on failure ---
- name: Notify on PR (comment)
if: steps.trufflehog.outcome == 'failure' && github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const pr = context.payload.pull_request;
const body = [
'🚨 **TruffleHog secret scan failed**',
'',
`- Scanner version: ${process.env.TRUFFLEHOG_VERSION}`,
`- Workflow run: ${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
'',
'TruffleHog detected one or more **verified** secrets in this PR diff.',
'',
'Please rotate affected credentials and remove them from the code and git history.',
].join('\n');
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr.number,
body
});
- name: Notify via issue (push to main)
if: steps.trufflehog.outcome == 'failure' && github.event_name == 'push'
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const title = `🚨 Secret scan failed on ${context.ref}`;
const body = [
'TruffleHog secret scan failed on a push to the default branch.',
'',
`- Scanner version: ${process.env.TRUFFLEHOG_VERSION}`,
`- Commit: ${context.sha}`,
`- Workflow run: ${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
'',
'TruffleHog detected one or more **verified** secrets in the changes.',
'',
'Watchers of this repository will receive notifications for this issue based on their GitHub notification settings.',
].join('\n');
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title,
body,
labels: ['security', 'secret-scan']
});
- name: Fail if secrets found
if: steps.trufflehog.outcome == 'failure'
run: |
echo "TruffleHog ${TRUFFLEHOG_VERSION} found verified secrets."
exit 1
release:
# Only run for clean pushes to main, *after* trufflehog passes
needs: trufflehog
if: >
github.event_name == 'push' &&
github.ref == 'refs/heads/main' &&
needs.trufflehog.result == 'success'
runs-on: ubuntu-latest
defaults:
run:
shell: bash
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Fetch tags
run: git fetch --tags --force
- name: Determine next version (1.(N+1).0)
id: version
run: |
# Pull minor versions from tags like v_1_X_0 or Release_1_X
MINORS=$(git tag --list 'v_1_*_0' 'Release_1_*' | \
sed -E 's/^v_1_([0-9]+)_0$/\1/; s/^Release_1_([0-9]+)$/\1/' | \
sort -n)
if [ -z "$MINORS" ]; then
LATEST_MINOR=0
else
LATEST_MINOR=$(echo "$MINORS" | tail -n1)
fi
NEW_MINOR=$((LATEST_MINOR + 1))
NEW_VERSION="1.${NEW_MINOR}.0"
NEW_TAG="v_1_${NEW_MINOR}_0" # matches existing tag style
echo "LATEST_MINOR=$LATEST_MINOR"
echo "NEW_MINOR=$NEW_MINOR"
echo "NEW_VERSION=$NEW_VERSION"
echo "NEW_TAG=$NEW_TAG"
echo "NEW_VERSION=$NEW_VERSION" >> "$GITHUB_ENV"
echo "NEW_TAG=$NEW_TAG" >> "$GITHUB_ENV"
echo "version=$NEW_VERSION" >> "$GITHUB_OUTPUT"
echo "tag=$NEW_TAG" >> "$GITHUB_OUTPUT"
- name: Create versioned zip
run: |
mkdir -p dist
zip -r "dist/ai-siem-v${NEW_VERSION}.zip" . \
-x ".git/*" \
".github/workflows/*"
- name: Create git tag
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git tag -a "$NEW_TAG" -m "ai-siem v${NEW_VERSION}" "$GITHUB_SHA"
git push origin "$NEW_TAG"
- name: Create GitHub Release with asset
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ env.NEW_TAG }} # e.g. v_1_7_0
name: v${{ env.NEW_VERSION }} # e.g. v1.7.0 (matches existing releases)
generate_release_notes: true
files: dist/ai-siem-v${{ env.NEW_VERSION }}.zip
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}