Create infisical-secrets-check.yml (#28)

guibranco · web-flow · commit 33c37cdc96f0 · 2024-06-19T00:12:48.000Z
diff --git a/.github/workflows/infisical-secrets-check.yml b/.github/workflows/infisical-secrets-check.yml
@@ -0,0 +1,75 @@
+name: Infisical secrets check
+
+on:
+  workflow_dispatch:
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  
+  secrets-scan:
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set Infisical package source
+        shell: bash
+        run: curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash
+      
+      - name: Install Infisical
+        shell: bash
+        run: | 
+          sudo apt-get update && sudo apt-get install -y infisical
+      
+      - name: Run scan
+        shell: bash
+        run: infisical scan --redact -f csv -r secrets-result.csv 2>&1 | tee secrets-result.log
+
+      - name: Read secrets-result.log
+        uses: guibranco/github-file-reader-action-v2@v2.1.535
+        if: always()
+        id: log
+        with:
+         path: secrets-result.log
+
+      - name: Read secrets-result.log
+        uses: guibranco/github-file-reader-action-v2@v2.1.535
+        if: failure()
+        id: report
+        with:
+         path: secrets-result.csv
+
+      - name: Update PR with comment
+        uses: mshick/add-pr-comment@v2
+        if: always()
+        with:
+          refresh-message-position: true
+          message-id: 'secrets-result'
+          message: |
+            **Infisical secrets check:** :white_check_mark: No secrets leaked!
+
+            **Scan results:**
+            ```
+            ${{ steps.log.outputs.contents }}
+            ```
+
+          message-failure: |
+            **Infisical secrets check:** :rotating_light: Secrets leaked!.     
+            
+            **Scan results:**
+            ```
+            ${{ steps.log.outputs.contents }}
+            ```
+            **Scan report:**
+            ```
+            ${{ steps.report.outputs.contents }}
+            ```
+          message-cancelled: |
+            **Infisical secrets check:** :o: Secrets check cancelled!.
