|
1 | | -name: Test |
| 1 | +name: "Test: Infisical secrets check" |
2 | 2 |
|
3 | 3 | on: |
4 | 4 | push: |
5 | | - branches: [main] |
| 5 | + branches: |
| 6 | + - main |
6 | 7 | pull_request: |
7 | | - branches: [main] |
| 8 | + branches: |
| 9 | + - main |
| 10 | + workflow_dispatch: |
8 | 11 |
|
9 | 12 | jobs: |
10 | | - bats-matrix: |
11 | | - name: Bats tests (${{ matrix.os }}) |
12 | | - runs-on: ${{ matrix.os }} |
13 | | - strategy: |
14 | | - matrix: |
15 | | - os: [ubuntu-latest, macos-latest, windows-latest] |
16 | | - steps: |
17 | | - - uses: actions/checkout@v6 |
18 | | - - name: Set up Bats |
19 | | - if: matrix.os != 'windows-latest' |
20 | | - run: | |
21 | | - sudo apt-get update || true |
22 | | - sudo apt-get install -y bats || brew install bats-core |
23 | | - - name: Set up Bats (Windows) |
24 | | - if: matrix.os == 'windows-latest' |
25 | | - run: | |
26 | | - choco install bats |
27 | | - - name: Run Bats tests |
28 | | - run: bats tests/test_action.bats |
29 | | - |
30 | | - coverage: |
31 | | - name: Coverage (kcov) |
| 13 | + test: |
| 14 | + name: Test Infisical secrets check action |
32 | 15 | runs-on: ubuntu-latest |
33 | | - steps: |
34 | | - - uses: actions/checkout@v6 |
35 | | - - name: Install kcov |
36 | | - run: sudo apt-get update && sudo apt-get install -y kcov |
37 | | - - name: Run Bats with coverage |
38 | | - run: | |
39 | | - kcov --include-path=. coverage bats tests/test_action.bats || true |
40 | | - - name: Upload coverage artifact |
41 | | - uses: actions/upload-artifact@v6 |
42 | | - with: |
43 | | - name: coverage |
44 | | - path: coverage/ |
| 16 | + permissions: |
| 17 | + contents: read |
| 18 | + pull-requests: write |
45 | 19 |
|
46 | | - gh-tests: |
47 | | - name: Native GitHub Action tests |
48 | | - runs-on: ubuntu-latest |
49 | 20 | steps: |
50 | | - - uses: actions/checkout@v6 |
51 | | - - name: Safe repo test |
52 | | - id: safe |
53 | | - run: | |
54 | | - mkdir safe-repo && cd safe-repo |
55 | | - git init -q |
56 | | - echo "hello world" > file.txt |
57 | | - git add file.txt |
58 | | - git commit -m "Initial commit" -q |
59 | | - - name: Run action (safe) |
60 | | - id: run-safe |
61 | | - uses: ./ |
62 | | - with: |
63 | | - path: safe-repo |
64 | | - continue-on-error: false |
65 | | - - name: Assert safe output |
66 | | - run: | |
67 | | - echo "secrets-leaked=${{ steps.run-safe.outputs.secrets-leaked }}" |
68 | | - test "${{ steps.run-safe.outputs.secrets-leaked }}" = "0" |
| 21 | + - name: Checkout repo |
| 22 | + uses: actions/checkout@v4 |
69 | 23 |
|
70 | | - - name: Leaky repo test |
71 | | - id: leaky |
72 | | - run: | |
73 | | - mkdir leaky-repo && cd leaky-repo |
74 | | - git init -q |
75 | | - echo "FAKE_SECRET=abcd1234abcd1234abcd1234abcd1234" > .env |
76 | | - git add .env |
77 | | - git commit -m "Add fake secret" -q |
78 | | - - name: Run action (leaky) |
79 | | - id: run-leaky |
| 24 | + - name: Run Infisical secrets check |
| 25 | + id: infisical |
80 | 26 | uses: ./ |
81 | 27 | with: |
82 | | - path: leaky-repo |
83 | | - continue-on-error: true |
84 | | - - name: Assert leaky output |
| 28 | + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 29 | + ADD_COMMENT: ${{ github.event_name == 'pull_request' }} |
| 30 | + |
| 31 | + - name: Print output |
| 32 | + if: always() |
85 | 33 | run: | |
86 | | - echo "secrets-leaked=${{ steps.run-leaky.outputs.secrets-leaked }}" |
87 | | - test "${{ steps.run-leaky.outputs.secrets-leaked }}" -gt 0 |
| 34 | + echo "secrets-leaked: ${{ steps.infisical.outputs.secrets-leaked }}" |
0 commit comments