From 7e4aad7e8336601488d7c6dfaacf9c88006ffd3a Mon Sep 17 00:00:00 2001
From: Guilherme Branco Stracini <guilherme@guilhermebranco.com.br>
Date: Sat, 3 Aug 2024 00:52:42 +0100
Subject: [PATCH] Create infisical-secrets-check.yml (#8)

---
 .github/workflows/infisical-secrets-check.yml | 112 ++++++++++++++++++
 1 file changed, 112 insertions(+)
 create mode 100644 .github/workflows/infisical-secrets-check.yml

diff --git a/.github/workflows/infisical-secrets-check.yml b/.github/workflows/infisical-secrets-check.yml
new file mode 100644
index 0000000..0c2c148
--- /dev/null
+++ b/.github/workflows/infisical-secrets-check.yml
@@ -0,0 +1,112 @@
+name: Infisical secrets check
+
+on:
+  workflow_dispatch:
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  
+  secrets-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set Infisical package source
+        shell: bash
+        run: curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash
+      
+      - name: Install tools
+        shell: bash
+        run: | 
+          sudo apt-get update && sudo apt-get install -y infisical
+          pip install csvkit
+          npm install -g csv-to-markdown-table
+      
+      - name: Run scan
+        shell: bash
+        run: infisical scan --redact -f csv -r secrets-result-raw.csv 2>&1 | tee >(sed -r 's/\x1b\[[0-9;]*m//g' >secrets-result.log)
+
+      - name: Generate report
+        shell: bash
+        if: failure()
+        run: |
+          if [[ -s secrets-result-raw.csv ]]; then
+            csvformat -M $'\r' secrets-result-raw.csv | sed -e ':a' -e 'N;$!ba' -e 's/\n/\\n/g' | tr '\r' '\n' | head -n 11 >secrets-result.csv
+            csv-to-markdown-table --delim , --headers <secrets-result.csv >secrets-result.md
+          fi
+
+      - name: Upload artifacts secrets-result.log
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: report-log
+          path: secrets-result.log
+
+      - name: Upload artifacts secrets-result.csv
+        uses: actions/upload-artifact@v4
+        if: failure()
+        with:
+          name: report-csv
+          path: secrets-result.csv
+
+      - name: Upload artifacts secrets-result.md
+        uses: actions/upload-artifact@v4
+        if: failure()
+        with:
+          name: report-md
+          path: secrets-result.md
+
+      - name: Read secrets-result.log
+        uses: guibranco/github-file-reader-action-v2@v2.2.620
+        if: always()
+        id: log
+        with:
+         path: secrets-result.log
+
+      - name: Read secrets-result.md
+        uses: guibranco/github-file-reader-action-v2@v2.2.620
+        if: failure()
+        id: report
+        with:
+         path: secrets-result.md
+
+      - name: Update PR with comment
+        uses: mshick/add-pr-comment@v2
+        if: always()
+        with:
+          refresh-message-position: true
+          message-id: 'secrets-result'
+          message: |
+            **Infisical secrets check:** :white_check_mark: No secrets leaked!
+
+            **Scan results:**
+            ```
+            ${{ steps.log.outputs.contents }}
+            ```
+          message-failure: |
+            **Infisical secrets check:** :rotating_light: Secrets leaked!     
+            
+            **Scan results:**
+            ```
+            ${{ steps.log.outputs.contents }}
+            ```
+
+            <details>
+              <summary>🔎 Detected secrets in your GIT history</summary>
+            
+              ${{ steps.report.outputs.contents }}
+            
+            </details>
+          message-cancelled: |
+            **Infisical secrets check:** :o: Secrets check cancelled!