fix(ci): guard gitea workflow secret surfaces
Some checks failed
Code Review / ai-code-review (push) Failing after 10s
Some checks failed
Code Review / ai-code-review (push) Failing after 10s
This commit is contained in:
32
scripts/ci/check-gitea-step-env-secrets.rb
Executable file
32
scripts/ci/check-gitea-step-env-secrets.rb
Executable file
@@ -0,0 +1,32 @@
|
||||
#!/usr/bin/env ruby
|
||||
# Guard against putting secrets in Gitea step env/with blocks.
|
||||
# Gitea/act_runner logs may render those blocks before masking is effective.
|
||||
|
||||
require "yaml"
|
||||
|
||||
workflow_glob = File.expand_path("../../.gitea/workflows/*.{yml,yaml}", __dir__)
|
||||
violations = []
|
||||
|
||||
Dir[workflow_glob].sort.each do |path|
|
||||
doc = YAML.load_file(path)
|
||||
jobs = doc.fetch("jobs", {})
|
||||
jobs.each do |job_name, job|
|
||||
Array(job["steps"]).each_with_index do |step, index|
|
||||
%w[env with].each do |section|
|
||||
Hash(step[section]).each do |key, value|
|
||||
next unless value.to_s.include?("${{ secrets.")
|
||||
|
||||
violations << "#{path}:#{job_name}:step#{index + 1}:#{section}.#{key}"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
if violations.any?
|
||||
warn "Gitea workflow exposes secrets through step env/with:"
|
||||
violations.each { |violation| warn " - #{violation}" }
|
||||
exit 1
|
||||
end
|
||||
|
||||
puts "no Gitea step env/with secrets"
|
||||
Reference in New Issue
Block a user