jv
/
my-homelab-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Gitleaks secret scanning

This commit is contained in:
juvdiaz 2026-05-25 14:16:40 -06:00
parent a2efef2804
commit 4355ad0af8
1 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
.gitea/workflows/homelab-main.yml
View File

@ -30,6 +30,44 @@ jobs:
test "${ID}" = "debian" test "${ID}" = "debian"
sudo -n true sudo -n true
- name: Scan for leaked secrets with Gitleaks
run: |
set -euo pipefail
gitleaks_version="8.30.1"
case "$(uname -m)" in
x86_64|amd64)
gitleaks_platform="linux_x64"
gitleaks_sha256="551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb"
;;
aarch64|arm64)
gitleaks_platform="linux_arm64"
gitleaks_sha256="e4a487ee7ccd7d3a7f7ec08657610aa3606637dab924210b3aee62570fb4b080"
;;
*)
echo "Unsupported runner architecture: $(uname -m)" >&2
exit 1
;;
esac
tool_dir="${HOME}/.cache/homelab-tools/gitleaks/${gitleaks_version}/${gitleaks_platform}"
gitleaks_bin="${tool_dir}/gitleaks"
if [[ ! -x "${gitleaks_bin}" ]] || [[ "$("${gitleaks_bin}" version)" != "${gitleaks_version}" ]]; then
archive="gitleaks_${gitleaks_version}_${gitleaks_platform}.tar.gz"
tmpdir="$(mktemp -d)"
trap 'rm -rf "${tmpdir}"' EXIT
curl -fsSL -o "${tmpdir}/${archive}" \
"https://github.com/gitleaks/gitleaks/releases/download/v${gitleaks_version}/${archive}"
printf '%s %s\n' "${gitleaks_sha256}" "${tmpdir}/${archive}" | sha256sum -c -
mkdir -p "${tool_dir}"
tar -xzf "${tmpdir}/${archive}" -C "${tmpdir}" gitleaks
install -m 0755 "${tmpdir}/gitleaks" "${gitleaks_bin}"
fi
"${gitleaks_bin}" git --redact=100 --verbose --exit-code 1 .
- name: Validate shell, Kubernetes manifests, and OpenTofu stacks - name: Validate shell, Kubernetes manifests, and OpenTofu stacks
run: | run: |
set -euo pipefail set -euo pipefail