fix(ci): guard gitea workflow secret surfaces
Some checks failed
Code Review / ai-code-review (push) Failing after 10s

This commit is contained in:
Your Name
2026-05-18 09:39:13 +08:00
parent e8b507be54
commit 9f2974f4c5
7 changed files with 337 additions and 121 deletions

View File

@@ -0,0 +1,32 @@
#!/usr/bin/env ruby
# Guard against putting secrets in Gitea step env/with blocks.
# Gitea/act_runner logs may render those blocks before masking is effective.
require "yaml"
workflow_glob = File.expand_path("../../.gitea/workflows/*.{yml,yaml}", __dir__)
violations = []
Dir[workflow_glob].sort.each do |path|
doc = YAML.load_file(path)
jobs = doc.fetch("jobs", {})
jobs.each do |job_name, job|
Array(job["steps"]).each_with_index do |step, index|
%w[env with].each do |section|
Hash(step[section]).each do |key, value|
next unless value.to_s.include?("${{ secrets.")
violations << "#{path}:#{job_name}:step#{index + 1}:#{section}.#{key}"
end
end
end
end
end
if violations.any?
warn "Gitea workflow exposes secrets through step env/with:"
violations.each { |violation| warn " - #{violation}" }
exit 1
end
puts "no Gitea step env/with secrets"