fix(ci): stop exposing deploy ssh key env
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 38s
CD Pipeline / build-and-deploy (push) Failing after 13m4s
CD Pipeline / post-deploy-checks (push) Has been skipped

This commit is contained in:
Your Name
2026-07-01 15:41:54 +08:00
parent 55b60f9e99
commit 06819ea96c
5 changed files with 58 additions and 23 deletions

View File

@@ -15,6 +15,7 @@ const workflowDir = path.join(root, ".gitea", "workflows");
const violations = [];
const routeViolations = [];
const secretExprPattern = /\$\{\{\s*secrets\./;
const forbiddenStepEnvSecrets = new Set(["DEPLOY_SSH_KEY"]);
for (const fileName of fs.readdirSync(workflowDir).sort()) {
if (!fileName.endsWith(".yml") && !fileName.endsWith(".yaml")) {
@@ -70,11 +71,18 @@ for (const fileName of fs.readdirSync(workflowDir).sort()) {
if (block && block.section !== "env" && secretExprPattern.test(line)) {
violations.push(`${filePath}:${index + 1}:${block.section}`);
}
if (block && block.section === "env") {
const envKey = trimmed.split(":", 1)[0];
if (forbiddenStepEnvSecrets.has(envKey)) {
violations.push(`${filePath}:${index + 1}:env:${envKey}`);
}
}
});
}
if (violations.length > 0) {
console.error("Gitea workflow exposes secrets through run/with text:");
console.error("Gitea workflow exposes secrets through unsafe run/with/env transport:");
for (const violation of violations) {
console.error(` - ${violation}`);
}