From 8e378d4fc27b03ba9f7ad3259c9b9140d5b46fbf Mon Sep 17 00:00:00 2001 From: flemming-it Date: Sat, 9 May 2026 13:40:37 +0200 Subject: [PATCH] ci: add Forgejo security workflow (mirror of pre-commit hook) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Runs `tools/security/check-staged.sh ci` on every push to main and every PR. Same script as the local pre-commit hook so the gate is identical whether or not a contributor activated the local hook via `bash tools/install-hooks.sh`. No Flutter / Dart toolchain needed in the runner — the check is plain bash + git. Signed-off-by: flemming-it --- .forgejo/workflows/security.yml | 45 +++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 .forgejo/workflows/security.yml diff --git a/.forgejo/workflows/security.yml b/.forgejo/workflows/security.yml new file mode 100644 index 0000000..4f716ec --- /dev/null +++ b/.forgejo/workflows/security.yml @@ -0,0 +1,45 @@ +name: Security + +on: + push: + branches: [main] + pull_request: + branches: [main] + +jobs: + security: + name: Security check + runs-on: ubuntu-latest + steps: + # Same external-URL checkout dance the fai/platform CI uses — + # the runner's internal forgejo URL is not resolvable from + # inside the DinD job container. See `reference_forgejo_ci_setup` + # in the operator memory for the rationale. + - name: Checkout via external URL + run: | + set -eu + mkdir -p "$GITHUB_WORKSPACE" + cd "$GITHUB_WORKSPACE" + git init -q + git remote add origin \ + "https://x-access-token:${GITHUB_TOKEN}@git.flemming.ws/${GITHUB_REPOSITORY}.git" + # Fetch enough history that scanning back to the merge base + # / origin/main yields a non-empty diff. depth=50 covers any + # realistic PR; larger PRs still pass since the script + # falls back to the root commit on missing base. + git fetch --depth=50 origin "$GITHUB_SHA" + git checkout -q FETCH_HEAD + + - name: Security check (secrets, confidentiality, banned phrases) + # Same script `tools/security/check-staged.sh` the local + # pre-commit hook runs — defense in depth, so a contributor + # without `bash tools/install-hooks.sh` still cannot land + # secrets or banned phrases on main. + run: | + set -eu + BASE="origin/main" + if [ -n "${GITHUB_BASE_REF:-}" ]; then + git fetch --depth=50 origin "$GITHUB_BASE_REF" + BASE="origin/$GITHUB_BASE_REF" + fi + bash tools/security/check-staged.sh ci "$BASE"