fix(ci): run secret surface guard with node
All checks were successful
Code Review / ai-code-review (push) Successful in 12s

This commit is contained in:
Your Name
2026-05-18 09:41:09 +08:00
parent 9f2974f4c5
commit 986d1a937d
5 changed files with 58 additions and 36 deletions

View File

@@ -0,0 +1,54 @@
#!/usr/bin/env node
/*
* Guard against putting secrets in Gitea step env/with blocks.
* Gitea/act_runner logs may render those blocks before masking is effective.
*/
const fs = require("fs");
const path = require("path");
const root = path.resolve(__dirname, "../..");
const workflowDir = path.join(root, ".gitea", "workflows");
const violations = [];
for (const fileName of fs.readdirSync(workflowDir).sort()) {
if (!fileName.endsWith(".yml") && !fileName.endsWith(".yaml")) {
continue;
}
const filePath = path.join(workflowDir, fileName);
const lines = fs.readFileSync(filePath, "utf8").split(/\r?\n/);
let block = null;
lines.forEach((line, index) => {
const indent = line.match(/^\s*/)[0].length;
const trimmed = line.trim();
if (block && trimmed && indent <= block.indent) {
block = null;
}
const blockMatch = line.match(/^(\s*)(env|with):\s*$/);
if (blockMatch) {
block = {
indent: blockMatch[1].length,
section: blockMatch[2],
};
return;
}
if (block && line.includes("${{ secrets.")) {
violations.push(`${filePath}:${index + 1}:${block.section}`);
}
});
}
if (violations.length > 0) {
console.error("Gitea workflow exposes secrets through step env/with:");
for (const violation of violations) {
console.error(` - ${violation}`);
}
process.exit(1);
}
console.log("no Gitea step env/with secrets");

View File

@@ -1,32 +0,0 @@
#!/usr/bin/env ruby
# Guard against putting secrets in Gitea step env/with blocks.
# Gitea/act_runner logs may render those blocks before masking is effective.
require "yaml"
workflow_glob = File.expand_path("../../.gitea/workflows/*.{yml,yaml}", __dir__)
violations = []
Dir[workflow_glob].sort.each do |path|
doc = YAML.load_file(path)
jobs = doc.fetch("jobs", {})
jobs.each do |job_name, job|
Array(job["steps"]).each_with_index do |step, index|
%w[env with].each do |section|
Hash(step[section]).each do |key, value|
next unless value.to_s.include?("${{ secrets.")
violations << "#{path}:#{job_name}:step#{index + 1}:#{section}.#{key}"
end
end
end
end
end
if violations.any?
warn "Gitea workflow exposes secrets through step env/with:"
violations.each { |violation| warn " - #{violation}" }
exit 1
end
puts "no Gitea step env/with secrets"