chore(deps): bump actions/cache from 4 to 5 #28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: π Pre-merge Validators | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| validate-yaml: | |
| name: β Workflow YAML | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: π₯ Checkout | |
| uses: actions/checkout@v4 | |
| - name: π οΈ Install YAML tooling | |
| run: | | |
| python3 -m pip install --upgrade pip | |
| python3 -m pip install --quiet pyyaml | |
| - name: π Validate workflows and actions | |
| run: | | |
| echo "π Validating workflow YAML files..." | |
| find .github/workflows -name '*.yml' -o -name '*.yaml' | | |
| while read -r file; do | |
| echo "Validating $file" | |
| python3 -c "import yaml; yaml.safe_load(open('$file'))" | |
| done | |
| echo "π Validating composite action YAML files..." | |
| find .github/actions -maxdepth 2 -name 'action.yml' | | |
| while read -r file; do | |
| echo "Validating $file" | |
| python3 -c "import yaml; yaml.safe_load(open('$file'))" | |
| done | |
| scan-secrets: | |
| name: π« Hardcoded Secrets | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: π₯ Checkout | |
| uses: actions/checkout@v4 | |
| - name: π Scan for potential hardcoded secrets | |
| run: | | |
| echo "π Scanning for potential secrets..." | |
| SCAN_RESULTS=$(grep -R -n -i -E "(password|secret|token)[[:space:]]*[:=][[:space:]]*[^[:space:]\$]" .github/workflows/ .github/actions/ 2>/dev/null || true) | |
| FILTERED_RESULTS=$(echo "$SCAN_RESULTS" | | |
| grep -vi -E '^[[:space:]]*#' | | |
| grep -vi -E '\\b(description|example|placeholder)\\b' | | |
| grep -vi -E 'hashfiles\(|github\\.token|GITHUB_TOKEN|SLACK_WEBHOOK_URL|AWS_(ACCESS|SECRET)_KEY|SNYK_TOKEN|AZURE_CREDENTIALS|KUBECONFIG' | | |
| grep -vi -E 'id-token:[[:space:]]+write' | | |
| grep -vi -E 'server-password:[[:space:]]+MAVEN_PASSWORD' | | |
| grep -vi -E 'SCAN_RESULTS=|FILTERED_RESULTS=|grep -vi -E' | | |
| grep -vi -E '^$' || true) | |
| if [ -n "$FILTERED_RESULTS" ]; then | |
| echo "β οΈ Potential secrets found in workflow files" | |
| echo "$FILTERED_RESULTS" | |
| exit 1 | |
| else | |
| echo "β No hardcoded secrets found" | |
| fi | |