Bump actions/checkout from 5 to 6 #73
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Display Name of the workflow | |
| name: Static Analysis - Advanced Secret Scan | |
| # When this workflow triggers | |
| on: | |
| # Allows you to run this workflow manually from the Actions tab | |
| workflow_dispatch: | |
| # Allow this workflow to be called from another workflow | |
| workflow_call: | |
| # Run the unit tests on every change | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| # Define each session of execution that should be executed | |
| jobs: | |
| SecretScan: | |
| # Display name of the job | |
| name: Scan for Secrets | |
| # Operating system filter for the runners | |
| runs-on: ubuntu-latest | |
| # Sets the scopes available to the github_token injected to the GH Actions runner | |
| permissions: | |
| contents: read | |
| steps: | |
| # Calculate the depth and branch for checkout optimization | |
| - name: Calculate Checkout Depth and Branch | |
| shell: bash | |
| env: | |
| # Untrusted inputs passed via env (no use inside the run script of ${{ }}). | |
| UNTRUST_PR_REF: ${{ github.event.pull_request.head.ref }} | |
| UNTRUST_PR_COMMITS_COUNT: ${{ github.event.pull_request.commits }} | |
| UNTRUST_PUSH_COMMIT_LIST_JSON: ${{ toJson(github.event.commits) }} | |
| run: | | |
| # Exit on error (-e), treat unset variables as errors (-u), and fail on pipeline errors (-o pipefail) | |
| set -euo pipefail | |
| # If this run was triggered by a push event | |
| if [ "$GITHUB_EVENT_NAME" = "push" ]; then | |
| # Count how many commits are in the push event using jq (a JSON parser) | |
| raw_depth=$(printf '%s' "$UNTRUST_PUSH_COMMIT_LIST_JSON" | jq 'length') | |
| # Make sure the depth is a valid number; if not, default to 0 | |
| if ! [[ "$raw_depth" =~ ^[0-9]+$ ]]; then raw_depth=0; fi | |
| # Add a small buffer (+2) so we have enough history for scanning | |
| depth=$(( raw_depth + 2 )) | |
| # Save the computed depth into the GitHub Actions environment for later steps | |
| printf 'depth=%s\n' "$depth" | tr -d '\n\r' >> "$GITHUB_ENV" | |
| # Use the branch name from the push event, cleaned of any stray characters | |
| safe_branch=$(printf '%s' "$GITHUB_REF_NAME" | tr -d '\n\r') | |
| # Save the branch name into the environment for later steps | |
| printf 'branch=%s\n' "$safe_branch" >> "$GITHUB_ENV" | |
| elif [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then | |
| # Read the number of commits in the PR; default to 0 if missing | |
| pr_commits="${UNTRUST_PR_COMMITS_COUNT:-0}" | |
| # Validate that the commit count is a number; if not, set to 0 | |
| if ! [[ "$pr_commits" =~ ^[0-9]+$ ]]; then pr_commits=0; fi | |
| # Add a small buffer (+2) so we have enough history for scanning | |
| depth=$(( pr_commits + 2 )) | |
| # Use the incoming PR branch name, cleaned of any stray characters | |
| safe_branch=$(printf '%s' "$UNTRUST_PR_REF" | tr -d '\n\r') | |
| # Save the computed depth into the environment for later steps | |
| printf 'depth=%s\n' "$depth" | tr -d '\n\r' >> "$GITHUB_ENV" | |
| # Save the branch name into the environment for later steps | |
| printf 'branch=%s\n' "$safe_branch" >> "$GITHUB_ENV" | |
| fi | |
| # Downloads the repo at the specified depth calculated previously | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: ${{env.branch}} | |
| fetch-depth: ${{env.depth}} | |
| # Run TruffleHog Scan against the downloaded repo | |
| - name: Scan for Secrets | |
| uses: trufflesecurity/trufflehog@ad6fc8fb446b8fafbf7ea8193d2d6bfd42f45690 | |
| with: | |
| extra_args: --results=verified,unknown |