username/s5p
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add gitleaks secret scanning to CI pipeline
Some checks failed
ci / secrets (push) Failing after 9s
Details
ci / test (push) Successful in 19s
Details
ci / build (push) Has been skipped
Details

Browse Source 
Runs gitleaks detect with full history before the build job.
Both test and secrets jobs must pass to gate image push.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
user
2026-02-21 17:34:38 +01:00
parent 8a909cd79d
commit 64f3fedb9f
2 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
.gitea/workflows/ci.yaml
View File

@@ -16,8 +16,19 @@ jobs:
- run: ruff check src/ tests/ - run: ruff check src/ tests/
- run: PYTHONPATH=src pytest tests/ -v - run: PYTHONPATH=src pytest tests/ -v
secrets:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- run: |
curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.0_linux_x64.tar.gz \
| tar xz -C /usr/local/bin gitleaks
- run: gitleaks detect --source . -v
build: build:
needs: test needs: [test, secrets]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4

5
docs/CHEATSHEET.md
View File

@@ -37,8 +37,9 @@ Dev override: compose.yaml mounts `./src` (ro) over the baked-in source.
Gitea Actions runs on push to `main`: Gitea Actions runs on push to `main`:
1. `ruff check` + `pytest` in `python:3.13-slim` 1. `ruff check` + `pytest` (test)
2. Build + push `harbor.mymx.me/s5p/s5p:latest` 2. `gitleaks detect` (secrets scan)
3. Build + push `harbor.mymx.me/s5p/s5p:latest`
Secrets: `HARBOR_USER` / `HARBOR_PASS` (configured in Gitea repo settings). Secrets: `HARBOR_USER` / `HARBOR_PASS` (configured in Gitea repo settings).