From 2743a9d143ffe9a114b107918b70d1f46dda1e30 Mon Sep 17 00:00:00 2001 From: Jo Date: Sat, 31 May 2025 18:41:38 +0200 Subject: [PATCH 1/5] =?UTF-8?q?=F0=9F=91=B7=20Add=20leakage=20check=20CI?= =?UTF-8?q?=20action?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/check-leaks.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/workflows/check-leaks.yml diff --git a/.github/workflows/check-leaks.yml b/.github/workflows/check-leaks.yml new file mode 100644 index 0000000..1d466df --- /dev/null +++ b/.github/workflows/check-leaks.yml @@ -0,0 +1,22 @@ +name: "Trufflehog: check for exposed secrets" + +on: + pull_request: + push: + paths: + - "**.nix" + - ".github/workflows/check-leaks.yml" + +jobs: + deadnix: + name: Run trufflehog + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.ref_name }} + persist-credentials: false + + - name: TruffleHog scan + uses: trufflesecurity/trufflehog@v3.88 From 02bf31fa25ce7d393bebb4ee5c70730d02b61d39 Mon Sep 17 00:00:00 2001 From: Jo Date: Sat, 31 May 2025 18:47:04 +0200 Subject: [PATCH 2/5] =?UTF-8?q?=F0=9F=91=B7=20Update=20CI=20actions=20to?= =?UTF-8?q?=20use=20Lix=20and=20fix=20trufflehog=20version?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/build.yml | 34 ------------------------------- .github/workflows/check-leaks.yml | 2 +- .github/workflows/deadnix.yml | 12 +++++++++-- .github/workflows/validate.yml | 7 ++----- 4 files changed, 13 insertions(+), 42 deletions(-) delete mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index 6ee53fd..0000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: "Nix: build and cache outputs" - -on: - workflow_dispatch: - push: - paths: - - "**.nix" - - "**.lock" - - ".github/workflows/build.yml" - -jobs: - build-flake: - name: Build (x86_64-linux) - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - ref: ${{ github.ref_name }} - persist-credentials: false - - - name: Install Lix - uses: ./.github/actions/install-lix - - - name: Setup Attic cache - uses: ryanccn/attic-action@v0.3.2 - with: - endpoint: https://cache.thevoid.cafe - cache: puzzlevision - token: ${{ secrets.ATTIC_TOKEN }} - - - name: Build flake - run: nix build .#nixosConfigurations.puzzlevision.config.system.build.toplevel --accept-flake-config diff --git a/.github/workflows/check-leaks.yml b/.github/workflows/check-leaks.yml index 1d466df..1eb00c0 100644 --- a/.github/workflows/check-leaks.yml +++ b/.github/workflows/check-leaks.yml @@ -19,4 +19,4 @@ jobs: persist-credentials: false - name: TruffleHog scan - uses: trufflesecurity/trufflehog@v3.88 + uses: trufflesecurity/trufflehog@v3.88.35 diff --git a/.github/workflows/deadnix.yml b/.github/workflows/deadnix.yml index d80f744..23f0b46 100644 --- a/.github/workflows/deadnix.yml +++ b/.github/workflows/deadnix.yml @@ -12,9 +12,17 @@ jobs: name: Run deadnix runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v25 + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.ref_name }} + persist-credentials: false + + - name: Install lix + uses: ./.github/actions/install-lix + - uses: cachix/cachix-action@v14 with: name: deadnix + - uses: phucleeuwu/deadnix-action@v1 diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 9fdb6e6..4f3e1b3 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -6,7 +6,7 @@ on: paths: - "**.nix" - "**.lock" - - ".github/workflows/**.yml" + - ".github/workflows/validate.yml" jobs: check-flake: @@ -21,10 +21,7 @@ jobs: persist-credentials: false - name: Install Nix - uses: DeterminateSystems/nix-installer-action@main - with: - extra-conf: | - experimental-features = flakes nix-command recursive-nix pipe-operator + uses: ./.github/actions/install-lix - name: Validate Flake run: nix flake check From 86a6674214fcf850193429d748d0e7289b68af6a Mon Sep 17 00:00:00 2001 From: Jo Date: Sat, 31 May 2025 18:55:12 +0200 Subject: [PATCH 3/5] =?UTF-8?q?=F0=9F=91=B7=20More=20accurate=20trufflehog?= =?UTF-8?q?=20scan=20configuration?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/check-leaks.yml | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/.github/workflows/check-leaks.yml b/.github/workflows/check-leaks.yml index 1eb00c0..e064e26 100644 --- a/.github/workflows/check-leaks.yml +++ b/.github/workflows/check-leaks.yml @@ -7,6 +7,12 @@ on: - "**.nix" - ".github/workflows/check-leaks.yml" +permissions: + contents: read + id-token: write + issues: write + pull-requests: write + jobs: deadnix: name: Run trufflehog @@ -16,7 +22,18 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.ref_name }} - persist-credentials: false + fetch-depth: 0 - - name: TruffleHog scan - uses: trufflesecurity/trufflehog@v3.88.35 + - id: trufflehog + name: TruffleHog scan + uses: trufflesecurity/trufflehog@add-actions-cli-switch + continue-on-error: true + with: + path: ./ + base: "${{ github.event.repository.default_branch }}" + head: HEAD + extra_args: --debug --only-verified + + - name: Scan Results Status + if: steps.trufflehog.outcome == 'failure' + run: exit 1 From faf643f506723d11cab5b5e21af2dd6dfc0622d6 Mon Sep 17 00:00:00 2001 From: Jo Date: Sat, 31 May 2025 18:56:12 +0200 Subject: [PATCH 4/5] =?UTF-8?q?=F0=9F=91=B7=20Fix=20version=20again?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/check-leaks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-leaks.yml b/.github/workflows/check-leaks.yml index e064e26..7cdb48c 100644 --- a/.github/workflows/check-leaks.yml +++ b/.github/workflows/check-leaks.yml @@ -26,7 +26,7 @@ jobs: - id: trufflehog name: TruffleHog scan - uses: trufflesecurity/trufflehog@add-actions-cli-switch + uses: trufflesecurity/trufflehog@v3.88.35 continue-on-error: true with: path: ./ From 459a0427c31420b5ffb04e32aea0b975b91b8ac8 Mon Sep 17 00:00:00 2001 From: Jo Date: Sat, 31 May 2025 18:57:46 +0200 Subject: [PATCH 5/5] =?UTF-8?q?=F0=9F=91=B7=20Remove=20trufflehog=20head?= =?UTF-8?q?=20declaration?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/check-leaks.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/check-leaks.yml b/.github/workflows/check-leaks.yml index 7cdb48c..72bbc91 100644 --- a/.github/workflows/check-leaks.yml +++ b/.github/workflows/check-leaks.yml @@ -26,12 +26,11 @@ jobs: - id: trufflehog name: TruffleHog scan - uses: trufflesecurity/trufflehog@v3.88.35 + uses: trufflesecurity/trufflehog@main continue-on-error: true with: path: ./ base: "${{ github.event.repository.default_branch }}" - head: HEAD extra_args: --debug --only-verified - name: Scan Results Status