fix(ci): run secret surface guard with node
All checks were successful
Code Review / ai-code-review (push) Successful in 12s
All checks were successful
Code Review / ai-code-review (push) Successful in 12s
This commit is contained in:
54
scripts/ci/check-gitea-step-env-secrets.js
Executable file
54
scripts/ci/check-gitea-step-env-secrets.js
Executable file
@@ -0,0 +1,54 @@
|
||||
#!/usr/bin/env node
|
||||
/*
|
||||
* Guard against putting secrets in Gitea step env/with blocks.
|
||||
* Gitea/act_runner logs may render those blocks before masking is effective.
|
||||
*/
|
||||
|
||||
const fs = require("fs");
|
||||
const path = require("path");
|
||||
|
||||
const root = path.resolve(__dirname, "../..");
|
||||
const workflowDir = path.join(root, ".gitea", "workflows");
|
||||
const violations = [];
|
||||
|
||||
for (const fileName of fs.readdirSync(workflowDir).sort()) {
|
||||
if (!fileName.endsWith(".yml") && !fileName.endsWith(".yaml")) {
|
||||
continue;
|
||||
}
|
||||
|
||||
const filePath = path.join(workflowDir, fileName);
|
||||
const lines = fs.readFileSync(filePath, "utf8").split(/\r?\n/);
|
||||
let block = null;
|
||||
|
||||
lines.forEach((line, index) => {
|
||||
const indent = line.match(/^\s*/)[0].length;
|
||||
const trimmed = line.trim();
|
||||
|
||||
if (block && trimmed && indent <= block.indent) {
|
||||
block = null;
|
||||
}
|
||||
|
||||
const blockMatch = line.match(/^(\s*)(env|with):\s*$/);
|
||||
if (blockMatch) {
|
||||
block = {
|
||||
indent: blockMatch[1].length,
|
||||
section: blockMatch[2],
|
||||
};
|
||||
return;
|
||||
}
|
||||
|
||||
if (block && line.includes("${{ secrets.")) {
|
||||
violations.push(`${filePath}:${index + 1}:${block.section}`);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
if (violations.length > 0) {
|
||||
console.error("Gitea workflow exposes secrets through step env/with:");
|
||||
for (const violation of violations) {
|
||||
console.error(` - ${violation}`);
|
||||
}
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
console.log("no Gitea step env/with secrets");
|
||||
@@ -1,32 +0,0 @@
|
||||
#!/usr/bin/env ruby
|
||||
# Guard against putting secrets in Gitea step env/with blocks.
|
||||
# Gitea/act_runner logs may render those blocks before masking is effective.
|
||||
|
||||
require "yaml"
|
||||
|
||||
workflow_glob = File.expand_path("../../.gitea/workflows/*.{yml,yaml}", __dir__)
|
||||
violations = []
|
||||
|
||||
Dir[workflow_glob].sort.each do |path|
|
||||
doc = YAML.load_file(path)
|
||||
jobs = doc.fetch("jobs", {})
|
||||
jobs.each do |job_name, job|
|
||||
Array(job["steps"]).each_with_index do |step, index|
|
||||
%w[env with].each do |section|
|
||||
Hash(step[section]).each do |key, value|
|
||||
next unless value.to_s.include?("${{ secrets.")
|
||||
|
||||
violations << "#{path}:#{job_name}:step#{index + 1}:#{section}.#{key}"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
if violations.any?
|
||||
warn "Gitea workflow exposes secrets through step env/with:"
|
||||
violations.each { |violation| warn " - #{violation}" }
|
||||
exit 1
|
||||
end
|
||||
|
||||
puts "no Gitea step env/with secrets"
|
||||
Reference in New Issue
Block a user