Update GitHub Actions workflows (#13)

* Update GitHub Actions workflows * Update GitLeaks * Update GitLeaks to flip if case around * Require MFA for pushing to RubyGems
emmahsax · Dec 1, 2021 · 635e465 · 635e465
1 parent 9da94c4
commit 635e465
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 20 deletions.
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -9,40 +9,53 @@ on:
 
 # Override environment variables as needed
 env:
+  GITLEAKS_VERSION: v8.0.4
+  GITLEAKS_REF: f15b4e408b12fda7e2833f8a32c0d8a045bd48a0
   GITLEAKS_CONFIG_COMMITS: "[]" # A list of commits to ignore when running GitLeaks
   GITLEAKS_CONFIG_REGEXES: "[]" # A list of regexes or secrets to ignore when running GitLeaks
+  GITLEAKS_CONFIG_PATHS: "[]" # A list of file paths to ignore when running GitLeaks
+  RUN_DEFAULT_ON_ALL_COMMITS: 'true' # Whether to run GitLeaks from default branch on all git history, or since a certain commit specified below
 
 ###########################################################
 ### DO NOT EDIT BELOW – TEXT IS AUTOMATICALLY GENERATED ###
 ###########################################################
 
 jobs:
-  default:
+  gitleaks:
     runs-on: ubuntu-latest
     steps:
       - name: Check Out Code
         uses: actions/checkout@v2
         with:
           fetch-depth: 0
-      - name: Set GitLeaks Config
+      - name: Set GitLeaks Config File
         run: |
+          curl -H "Accept: application/vnd.github.v3.raw" \
+            -L "https://api.github.com/repos/zricethezav/gitleaks/contents/config/gitleaks.toml?ref=${{ env.GITLEAKS_REF }}" \
+            >> ${{ github.WORKSPACE }}/original.toml
+          sed "/\[allowlist\]/,/^$/d" ${{ github.WORKSPACE }}/original.toml >> ${{ github.WORKSPACE }}/gitleaks.toml
+          echo "[allowlist]" >> ${{ github.WORKSPACE }}/gitleaks.toml
+          echo "commits = ${{ env.GITLEAKS_CONFIG_COMMITS }}" >> ${{ github.WORKSPACE }}/gitleaks.toml
+          echo "regexes = ${{ env.GITLEAKS_CONFIG_REGEXES }}" >> ${{ github.WORKSPACE }}/gitleaks.toml
+          echo "paths = ${{ env.GITLEAKS_CONFIG_PATHS }}" >> ${{ github.WORKSPACE }}/gitleaks.toml
+      - name: Determine GitLeaks Command
+        run: |
+          DEFAULT_BRANCH_COMMIT=$(git log origin/main | head -1 | sed 's/commit //')
+          COMMAND="gitleaks detect --verbose --config='/app/gitleaks.toml' --source='/app'"
           if [[ ${{ github.REF }} == 'refs/heads'* ]]; then # This is a branch, not a pull request
-            CURRENT_COMMIT="${{ github.SHA }}"
+            if [[ ${{ github.SHA }} != $DEFAULT_BRANCH_COMMIT ]]; then # This branch is not the default branch
+              echo "COMMAND=\"${COMMAND} --log-opts='^origin/main ${{ github.SHA }}'\"" >> $GITHUB_ENV
+            else
+              if [[ ${{ env.RUN_DEFAULT_ON_ALL_COMMITS }} == 'true' ]]; then # Running on all commits in git history
+                echo "COMMAND=\"${COMMAND}\"" >> $GITHUB_ENV
+              else
+                echo "COMMAND=\"${COMMAND} --log-opts='${{ env.RUN_DEFAULT_ON_SINCE_COMMIT }}..${{ github.SHA }}'\"" >> $GITHUB_ENV
+              fi
+            fi
           else
-            CURRENT_COMMIT="${{ github.EVENT.PULL_REQUEST.HEAD.SHA }}"
+            echo "COMMAND=\"${COMMAND} --log-opts='^origin/main ${{ github.EVENT.PULL_REQUEST.HEAD.SHA }}'\"" >> $GITHUB_ENV
           fi
-          echo "COMMITS=$(
-            git rev-list $CURRENT_COMMIT ^origin/main | sed 's/^\|$//g' | paste -sd, -
-          )" >> $GITHUB_ENV
-          echo "Title = 'GitLeaks Allowlist'" >> ${{ github.WORKSPACE }}/gitleaks.toml
-          echo "[allowlist]" >> ${{ github.WORKSPACE }}/gitleaks.toml
-          echo "  commits = ${{ env.GITLEAKS_CONFIG_COMMITS }}" >> ${{ github.WORKSPACE }}/gitleaks.toml
-          echo "  regexes = ${{ env.GITLEAKS_CONFIG_REGEXES }}" >> ${{ github.WORKSPACE }}/gitleaks.toml
       - name: GitLeaks
         run: |
-          COMMAND="gitleaks --verbose --additional-config='/app/gitleaks.toml' --path='/app'"
-          if [ ${{ github.REF }} != 'refs/heads/main' ]; then
-            COMMAND="${COMMAND} --commits='${{ env.COMMITS }}'"
-          fi
-          docker pull zricethezav/gitleaks
-          docker run --rm -v $(pwd):/app -i --entrypoint /bin/bash zricethezav/gitleaks -c "$COMMAND"
+          echo "Running: ${{ env.COMMAND }}"
+          docker run --rm -v $(pwd):/app -i --entrypoint /bin/bash zricethezav/gitleaks:${{ env.GITLEAKS_VERSION }} -c ${{ env.COMMAND }}
diff --git a/.github/workflows/rspec.yml b/.github/workflows/rspec.yml
@@ -12,7 +12,7 @@ on:
 ###########################################################
 
 jobs:
-  default:
+  rspec:
     runs-on: ubuntu-latest
     steps:
       - name: Set Branch Variable

diff --git a/.github/workflows/rubocop.yml b/.github/workflows/rubocop.yml
@@ -10,7 +10,7 @@ on:
 ###########################################################
 
 jobs:
-  default:
+  rubocop:
     runs-on: ubuntu-latest
     steps:
       - name: Set Branch Variable

diff --git a/highline_wrapper.gemspec b/highline_wrapper.gemspec
@@ -12,6 +12,7 @@ Gem::Specification.new do |gem|
   gem.homepage              = 'https://github.com/emmahsax/highline_wrapper'
   gem.license               = 'BSD-3-Clause'
   gem.required_ruby_version = '>= 1.9.3'
+  gem.metadata              = { 'rubygems_mfa_required' => 'true' }
 
   gem.executables   = Dir['bin/*'].map { |f| File.basename(f) }
   gem.files         = Dir['lib/highline_wrapper/*.rb'] + Dir['lib/*.rb'] + Dir['bin/*']

diff --git a/lib/highline_wrapper/version.rb b/lib/highline_wrapper/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 class HighlineWrapper
-  VERSION = '1.3.0'
+  VERSION = '1.3.1'
 end