Do not hardcode the default branch for linter (#218) #1098
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: gitleaks 💧 | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| - ready_for_review | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| workflow_call: | |
| inputs: | |
| additional-args: | |
| description: Additional arguments to pass to 'gitleaks detect' | |
| required: false | |
| type: string | |
| default: "" | |
| check-for-pii: | |
| description: Check for any instances of PII data in the repository | |
| required: false | |
| type: boolean | |
| default: false | |
| concurrency: | |
| group: gitleaks-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| gitleaks: | |
| name: gitleaks 💧 | |
| runs-on: ubuntu-latest | |
| if: > | |
| !contains(github.event.commits[0].message, '[skip gitleaks]') | |
| && github.event.pull_request.draft == false | |
| steps: | |
| - name: Checkout repo 🛎 | |
| uses: actions/checkout@v4 | |
| - name: Download and install gitleaks 💧 | |
| run: | | |
| cd /tmp | |
| sudo wget -q \ | |
| "https://github.com/zricethezav/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \ | |
| -O gitleaks.tar.gz || \ | |
| (echo "Error downloading gitleaks ${GITLEAKS_VERSION} tarball" && exit 1) | |
| sudo tar -xvzf gitleaks.tar.gz || \ | |
| (echo "Error unarchiving gitleaks ${GITLEAKS_VERSION} tarball" && exit 1) | |
| sudo mv gitleaks /usr/bin/. || \ | |
| (echo "Error moving gitleaks for /usr/bin" && exit 1) | |
| shell: bash | |
| env: | |
| GITLEAKS_VERSION: "8.18.1" | |
| - name: Run gitleaks ☔ | |
| run: gitleaks -v detect --no-git ${{ inputs.additional-args }} --source . | |
| shell: bash | |
| pii-check: | |
| name: PII Check 💳 | |
| runs-on: ubuntu-latest | |
| if: > | |
| !contains(github.event.commits[0].message, '[skip pii-check]') | |
| && github.event.pull_request.draft == false | |
| && inputs.check-for-pii == true | |
| steps: | |
| - name: Checkout repo 🛎 | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run Presidio to check for PII ☔ | |
| uses: insightsengineering/presidio-action@v1 | |
| with: | |
| configuration-data: | | |
| threshold: 0.95 | |
| ignore: | | |
| .git | |
| **/*.svg | |
| **/*.png | |
| **/*.rds | |
| **/*.rda | |
| **/*.jpg | |
| **/*.gif | |
| .gitlab-ci.yml | |
| .Rbuildignore | |
| _pkgdown.yml | |
| inst/WORDLIST | |
| **/*.RData | |
| **/*.xlsx | |
| output: "github" | |
| only-changed-files: true |