|
73 | 73 | run: | |
74 | 74 | echo "depth=$((${{ github.event.pull_request.commits }} + 1))" >> $GITHUB_OUTPUT |
75 | 75 |
|
| 76 | + # A force-push to a PR can obscure Cirrus-CI logs, but not GHA logs. |
| 77 | + # Provide handy URL for examination of secret leaks for all events that |
| 78 | + # trigger this action. |
| 79 | + |
| 80 | + - if: github.event_name == 'synchronize' || github.base_ref == '' |
| 81 | + name: Provide URL showing code that needs human eyes (force-push or merge) |
| 82 | + shell: bash |
| 83 | + run: | |
| 84 | + echo "Please review force-push or merged-pr changes for secret-leaks:" |
| 85 | + before=$(jq -r -e '.before' $GITHUB_EVENT_PATH) |
| 86 | + after=$(jq -r -e '.after' $GITHUB_EVENT_PATH) |
| 87 | + echo "https://github.com/${{ github.repository }}/compare/${before}...${after}" |
| 88 | +
|
| 89 | + - if: github.event_name == 'opened' |
| 90 | + name: Provide URL showing code that needs human eyes (newly opened PR) |
| 91 | + shell: bash |
| 92 | + run: | |
| 93 | + echo "Please review new PR changes for secret-leaks:" |
| 94 | + before=$(jq -r -e '.github.event.pull_request.base.sha' $GITHUB_EVENT_PATH) |
| 95 | + after=$(jq -r -e '.github.event.pull_request.head.sha' $GITHUB_EVENT_PATH) |
| 96 | + echo "https://github.com/${{ github.repository }}/compare/${before}...${after}" |
| 97 | +
|
76 | 98 | - name: Show important context details |
77 | 99 | shell: bash |
78 | 100 | run: | |
@@ -123,12 +145,11 @@ jobs: |
123 | 145 | mkdir ${{ github.workspace }}/_report |
124 | 146 | touch ${{ github.workspace }}/_report/gitleaks-report.json |
125 | 147 |
|
126 | | - # A force-push to a PR can obscure Cirrus-CI logs, but not GHA logs |
127 | | - - name: Show content being scanned |
| 148 | + - name: Log all content being scanned to file for archiving |
128 | 149 | shell: bash |
129 | 150 | run: | |
130 | 151 | set -exuo pipefail |
131 | | - ${{ env.gitlogcmd }} ${{ steps.gitlog.outputs.range }} |
| 152 | + ${{ env.gitlogcmd }} ${{ steps.gitlog.outputs.range }} >> ${{ github.workspace }}/git_commits.log |
132 | 153 |
|
133 | 154 | # Unfortunately gitleaks provides several in-built ways to |
134 | 155 | # completely bypass an alert within PR-level commits. Assume |
@@ -183,12 +204,15 @@ jobs: |
183 | 204 | $glfqin \ |
184 | 205 | detect $glargs --log-opts=${{ steps.gitlog.outputs.range }} |
185 | 206 |
|
186 | | - - name: Collect scan report artifact |
| 207 | + - name: Collect git commits log and gitleaks scan report |
187 | 208 | if: ${{ !cancelled() }} |
188 | 209 | uses: actions/upload-artifact@v4 |
189 | 210 | with: |
190 | 211 | name: gitleaks-report |
191 | | - path: ${{ github.workspace }}/_report/gitleaks-report.json |
| 212 | + path: | |
| 213 | + ${{ github.event_path }} |
| 214 | + ${{ github.workspace }}/git_commits.log |
| 215 | + ${{ github.workspace }}/_report/gitleaks-report.json |
192 | 216 |
|
193 | 217 | # Nobody monitors the actions-tab for failures, and may not see this |
194 | 218 | # fail on push to a nefarious PR. Send an e-mail alert to unmask |
|
![openshift-merge-bot[bot]](https://avatars.githubusercontent.com/in/412865?v=4&size=40){kind=avatar}
0 commit comments