fix(ci): stop exposing deploy ssh key env
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 38s
CD Pipeline / build-and-deploy (push) Failing after 13m4s
CD Pipeline / post-deploy-checks (push) Has been skipped
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 38s
CD Pipeline / build-and-deploy (push) Failing after 13m4s
CD Pipeline / post-deploy-checks (push) Has been skipped
This commit is contained in:
@@ -15,6 +15,7 @@ const workflowDir = path.join(root, ".gitea", "workflows");
|
||||
const violations = [];
|
||||
const routeViolations = [];
|
||||
const secretExprPattern = /\$\{\{\s*secrets\./;
|
||||
const forbiddenStepEnvSecrets = new Set(["DEPLOY_SSH_KEY"]);
|
||||
|
||||
for (const fileName of fs.readdirSync(workflowDir).sort()) {
|
||||
if (!fileName.endsWith(".yml") && !fileName.endsWith(".yaml")) {
|
||||
@@ -70,11 +71,18 @@ for (const fileName of fs.readdirSync(workflowDir).sort()) {
|
||||
if (block && block.section !== "env" && secretExprPattern.test(line)) {
|
||||
violations.push(`${filePath}:${index + 1}:${block.section}`);
|
||||
}
|
||||
|
||||
if (block && block.section === "env") {
|
||||
const envKey = trimmed.split(":", 1)[0];
|
||||
if (forbiddenStepEnvSecrets.has(envKey)) {
|
||||
violations.push(`${filePath}:${index + 1}:env:${envKey}`);
|
||||
}
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
if (violations.length > 0) {
|
||||
console.error("Gitea workflow exposes secrets through run/with text:");
|
||||
console.error("Gitea workflow exposes secrets through unsafe run/with/env transport:");
|
||||
for (const violation of violations) {
|
||||
console.error(` - ${violation}`);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user