Fix honoring skip phrases #1110
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: gitleaks 💧 | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
types: | |
- opened | |
- synchronize | |
- reopened | |
- ready_for_review | |
branches: | |
- main | |
workflow_dispatch: | |
workflow_call: | |
inputs: | |
additional-args: | |
description: Additional arguments to pass to 'gitleaks detect' | |
required: false | |
type: string | |
default: "" | |
check-for-pii: | |
description: Check for any instances of PII data in the repository | |
required: false | |
type: boolean | |
default: false | |
concurrency: | |
group: gitleaks-${{ github.event.pull_request.number || github.ref }} | |
cancel-in-progress: true | |
jobs: | |
gitleaks: | |
name: gitleaks 💧 | |
runs-on: ubuntu-latest | |
if: > | |
github.event.pull_request.draft == false | |
steps: | |
- name: Get branch names 🌿 | |
id: branch-name | |
uses: tj-actions/branch-names@v7 | |
- name: Checkout repo (PR) 🛎 | |
uses: actions/checkout@v4 | |
if: github.event_name == 'pull_request' | |
with: | |
ref: ${{ steps.branch-name.outputs.head_ref_branch }} | |
repository: ${{ github.event.pull_request.head.repo.full_name }} | |
- name: Checkout repo 🛎 | |
uses: actions/checkout@v4 | |
if: github.event_name != 'pull_request' | |
with: | |
ref: ${{ steps.branch-name.outputs.head_ref_branch }} | |
- name: Check commit message 💬 | |
run: | | |
git config --global --add safe.directory $(pwd) | |
export head_commit_message="$(git show -s --format=%B | tr '\r\n' ' ' | tr '\n' ' ')" | |
echo "head_commit_message = $head_commit_message" | |
if [[ $head_commit_message == *"$SKIP_INSTRUCTION"* ]]; then | |
echo "Skip instruction detected - cancelling the workflow." | |
curl -s -LJ -o gh.tar.gz https://github.com/cli/cli/releases/download/v${GH_CLI_VERSION}/gh_${GH_CLI_VERSION}_linux_amd64.tar.gz | |
tar -xzf gh.tar.gz --strip-components 2 | |
./gh version | |
./gh run cancel ${{ github.run_id }} | |
./gh run watch ${{ github.run_id }} | |
fi | |
shell: bash | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GH_CLI_VERSION: 2.44.1 | |
SKIP_INSTRUCTION: "[skip gitleaks]" | |
- name: Download and install gitleaks 💧 | |
run: | | |
cd /tmp | |
sudo wget -q \ | |
"https://github.com/zricethezav/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \ | |
-O gitleaks.tar.gz || \ | |
(echo "Error downloading gitleaks ${GITLEAKS_VERSION} tarball" && exit 1) | |
sudo tar -xvzf gitleaks.tar.gz || \ | |
(echo "Error unarchiving gitleaks ${GITLEAKS_VERSION} tarball" && exit 1) | |
sudo mv gitleaks /usr/bin/. || \ | |
(echo "Error moving gitleaks for /usr/bin" && exit 1) | |
shell: bash | |
env: | |
GITLEAKS_VERSION: "8.18.1" | |
- name: Run gitleaks ☔ | |
run: gitleaks -v detect --no-git ${{ inputs.additional-args }} --source . | |
shell: bash | |
pii-check: | |
name: PII Check 💳 | |
runs-on: ubuntu-latest | |
if: > | |
github.event.pull_request.draft == false | |
&& inputs.check-for-pii == true | |
steps: | |
- name: Get branch names 🌿 | |
id: branch-name | |
uses: tj-actions/branch-names@v7 | |
- name: Checkout repo (PR) 🛎 | |
uses: actions/checkout@v4 | |
if: github.event_name == 'pull_request' | |
with: | |
ref: ${{ steps.branch-name.outputs.head_ref_branch }} | |
repository: ${{ github.event.pull_request.head.repo.full_name }} | |
fetch-depth: 0 | |
- name: Checkout repo 🛎 | |
uses: actions/checkout@v4 | |
if: github.event_name != 'pull_request' | |
with: | |
ref: ${{ steps.branch-name.outputs.head_ref_branch }} | |
fetch-depth: 0 | |
- name: Check commit message 💬 | |
run: | | |
git config --global --add safe.directory $(pwd) | |
export head_commit_message="$(git show -s --format=%B | tr '\r\n' ' ' | tr '\n' ' ')" | |
echo "head_commit_message = $head_commit_message" | |
if [[ $head_commit_message == *"$SKIP_INSTRUCTION"* ]]; then | |
echo "Skip instruction detected - cancelling the workflow." | |
curl -s -LJ -o gh.tar.gz https://github.com/cli/cli/releases/download/v${GH_CLI_VERSION}/gh_${GH_CLI_VERSION}_linux_amd64.tar.gz | |
tar -xzf gh.tar.gz --strip-components 2 | |
./gh version | |
./gh run cancel ${{ github.run_id }} | |
./gh run watch ${{ github.run_id }} | |
fi | |
shell: bash | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GH_CLI_VERSION: 2.44.1 | |
SKIP_INSTRUCTION: "[skip pii-check]" | |
- name: Run Presidio to check for PII ☔ | |
uses: insightsengineering/presidio-action@v1 | |
with: | |
configuration-data: | | |
threshold: 0.95 | |
ignore: | | |
.git | |
**/*.svg | |
**/*.png | |
**/*.rds | |
**/*.rda | |
**/*.jpg | |
**/*.gif | |
.gitlab-ci.yml | |
.Rbuildignore | |
_pkgdown.yml | |
inst/WORDLIST | |
**/*.RData | |
**/*.xlsx | |
output: "github" | |
only-changed-files: true |