From a84abf03ca8bd4cd2ae1bc91f2e33d074dae2485 Mon Sep 17 00:00:00 2001
From: user <user@rpios.local>
Date: Thu, 5 Feb 2026 23:02:46 +0100
Subject: [PATCH] ci: Add security checks (secrets scan, config validation)

---
 .gitea/workflows/lint.yml | 45 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml
index 60690dc..abb83d7 100644
--- a/.gitea/workflows/lint.yml
+++ b/.gitea/workflows/lint.yml
@@ -75,6 +75,31 @@ jobs:
             echo "::warning::Firmware using $PERCENT% of partition"
           fi
 
+      - name: Security checks
+        run: |
+          BIN="get-started/csi_recv_router/build/csi_recv_router.bin"
+          CFG="get-started/csi_recv_router/sdkconfig"
+
+          echo "=== Checking for hardcoded secrets ==="
+          if strings "$BIN" | grep -iqE '(password|secret|api_key|apikey)=[^$]'; then
+            echo "::error::Potential hardcoded secret found in binary"
+            exit 1
+          fi
+          echo "No hardcoded secrets detected"
+
+          echo "=== Checking release configuration ==="
+          LOG_LEVEL=$(grep 'CONFIG_LOG_DEFAULT_LEVEL=' "$CFG" | cut -d= -f2)
+          if [ "$LOG_LEVEL" -gt 3 ]; then
+            echo "::warning::Debug/verbose logging enabled (level $LOG_LEVEL)"
+          else
+            echo "Log level OK ($LOG_LEVEL)"
+          fi
+
+          echo "=== Component size breakdown ==="
+          . /opt/esp/idf/export.sh
+          cd get-started/csi_recv_router
+          idf.py size-components 2>/dev/null | head -30
+
       - name: Upload firmware artifact
         run: |
           mkdir -p /tmp/artifacts
@@ -108,6 +133,26 @@ jobs:
           cd get-started/csi_recv_router
           idf.py build
 
+      - name: Security checks
+        run: |
+          BIN="get-started/csi_recv_router/build/csi_recv_router.bin"
+          CFG="get-started/csi_recv_router/sdkconfig"
+
+          echo "=== Checking for hardcoded secrets ==="
+          if strings "$BIN" | grep -iqE '(password|secret|api_key|apikey)=[^$]'; then
+            echo "::error::Potential hardcoded secret found in binary"
+            exit 1
+          fi
+          echo "No hardcoded secrets detected"
+
+          echo "=== Checking release configuration ==="
+          LOG_LEVEL=$(grep 'CONFIG_LOG_DEFAULT_LEVEL=' "$CFG" | cut -d= -f2)
+          if [ "$LOG_LEVEL" -gt 3 ]; then
+            echo "::warning::Debug/verbose logging enabled (level $LOG_LEVEL)"
+          else
+            echo "Log level OK ($LOG_LEVEL)"
+          fi
+
       - name: Validate version tag
         run: |
           TAG="${{ github.ref_name }}"