Skip to content

Create main.yml #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Pay201 merged 1 commit into from
Jan 14, 2026
Merged

Create main.yml #1

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
on: push

jobs:
secret-generator:
runs-on: ubuntu-latest
outputs:
handle: ${{ steps.generate-secret.outputs.handle }}
steps:
- uses: some/secret-store@27b31702a0e7fc50959f5ad993c78deac1bdfc29
with:
credentials: ${{ secrets.SECRET_STORE_CREDENTIALS }}
instance: ${{ secrets.SECRET_STORE_INSTANCE }}
- name: generate secret
id: generate-secret
shell: bash
run: |
GENERATED_SECRET=$((RANDOM))
Copy link

@sourcery-ai sourcery-ai bot Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Use a stronger source of randomness for generated secrets

$RANDOM has only 0–32767 possible values and is not cryptographically secure. If this is used as a secret/token, please switch to a higher‑entropy, crypto‑secure source (e.g., head -c 32 /dev/urandom | base64 or openssl rand -hex 32) to avoid predictability.

Suggested change
GENERATED_SECRET=$((RANDOM))
GENERATED_SECRET="$(openssl rand -hex 32)"

echo "::add-mask::$GENERATED_SECRET"
SECRET_HANDLE=$(secret-store store-secret "$GENERATED_SECRET")
echo "handle=$SECRET_HANDLE" >> "$GITHUB_OUTPUT"
secret-consumer:
runs-on: macos-latest
needs: secret-generator
steps:
- uses: some/secret-store@27b31702a0e7fc50959f5ad993c78deac1bdfc29
with:
credentials: ${{ secrets.SECRET_STORE_CREDENTIALS }}
instance: ${{ secrets.SECRET_STORE_INSTANCE }}
- name: use secret
shell: bash
run: |
SECRET_HANDLE="${{ needs.secret-generator.outputs.handle }}"
RETRIEVED_SECRET=$(secret-store retrieve-secret "$SECRET_HANDLE")
echo "::add-mask::$RETRIEVED_SECRET"
echo "We retrieved our masked secret: $RETRIEVED_SECRET"
Comment on lines +32 to +35
Copy link

@sourcery-ai sourcery-ai bot Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Avoid echoing secrets even when masked in logs

Even with masking, it’s safer not to print secrets at all, as masking can fail in edge cases (e.g., partial matches, formatting). If this is only for debugging, consider removing the echo or guarding it behind a debug flag.

Suggested change
SECRET_HANDLE="${{ needs.secret-generator.outputs.handle }}"
RETRIEVED_SECRET=$(secret-store retrieve-secret "$SECRET_HANDLE")
echo "::add-mask::$RETRIEVED_SECRET"
echo "We retrieved our masked secret: $RETRIEVED_SECRET"
SECRET_HANDLE="${{ needs.secret-generator.outputs.handle }}"
RETRIEVED_SECRET=$(secret-store retrieve-secret "$SECRET_HANDLE")
echo "::add-mask::$RETRIEVED_SECRET"

concurrency:
Copy link

@sourcery-ai sourcery-ai bot Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (bug_risk): Fix the empty concurrency configuration to avoid workflow parse/runtime issues

concurrency: is currently empty, which produces invalid or unintended workflow YAML. If you want concurrency controls, specify a group (and optionally cancel-in-progress), for example:

group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

If not using concurrency, remove the concurrency: key to avoid misconfiguration.