ci: add Forgejo security workflow (mirror of pre-commit hook)
Some checks failed
Security / Security check (push) Has been cancelled
Some checks failed
Security / Security check (push) Has been cancelled
Runs `tools/security/check-staged.sh ci` on every push to main and every PR. Same script as the local pre-commit hook so the gate is identical whether or not a contributor activated the local hook via `bash tools/install-hooks.sh`. No Flutter / Dart toolchain needed in the runner — the check is plain bash + git. Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
This commit is contained in:
parent
99ef83ccf0
commit
8e378d4fc2
1 changed files with 45 additions and 0 deletions
45
.forgejo/workflows/security.yml
Normal file
45
.forgejo/workflows/security.yml
Normal file
|
|
@ -0,0 +1,45 @@
|
|||
name: Security
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main]
|
||||
pull_request:
|
||||
branches: [main]
|
||||
|
||||
jobs:
|
||||
security:
|
||||
name: Security check
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Same external-URL checkout dance the fai/platform CI uses —
|
||||
# the runner's internal forgejo URL is not resolvable from
|
||||
# inside the DinD job container. See `reference_forgejo_ci_setup`
|
||||
# in the operator memory for the rationale.
|
||||
- name: Checkout via external URL
|
||||
run: |
|
||||
set -eu
|
||||
mkdir -p "$GITHUB_WORKSPACE"
|
||||
cd "$GITHUB_WORKSPACE"
|
||||
git init -q
|
||||
git remote add origin \
|
||||
"https://x-access-token:${GITHUB_TOKEN}@git.flemming.ws/${GITHUB_REPOSITORY}.git"
|
||||
# Fetch enough history that scanning back to the merge base
|
||||
# / origin/main yields a non-empty diff. depth=50 covers any
|
||||
# realistic PR; larger PRs still pass since the script
|
||||
# falls back to the root commit on missing base.
|
||||
git fetch --depth=50 origin "$GITHUB_SHA"
|
||||
git checkout -q FETCH_HEAD
|
||||
|
||||
- name: Security check (secrets, confidentiality, banned phrases)
|
||||
# Same script `tools/security/check-staged.sh` the local
|
||||
# pre-commit hook runs — defense in depth, so a contributor
|
||||
# without `bash tools/install-hooks.sh` still cannot land
|
||||
# secrets or banned phrases on main.
|
||||
run: |
|
||||
set -eu
|
||||
BASE="origin/main"
|
||||
if [ -n "${GITHUB_BASE_REF:-}" ]; then
|
||||
git fetch --depth=50 origin "$GITHUB_BASE_REF"
|
||||
BASE="origin/$GITHUB_BASE_REF"
|
||||
fi
|
||||
bash tools/security/check-staged.sh ci "$BASE"
|
||||
Loading…
Add table
Add a link
Reference in a new issue