426e9eeabd
Benchmark Bridge Tests / benchmark (bunx @biomejs/biome check packages/lifeops-bench/src, benchmark-lint) (push) Waiting to run
Benchmark Bridge Tests / benchmark (bunx vitest run --config packages/lifeops-bench/vitest.config.ts --root packages/lifeops-bench --passWithNoTests, benchmark-tests) (push) Waiting to run
Build Agent Image / build-and-push (push) Waiting to run
Chat shell gestures / Chat shell gesture + parity e2e (push) Waiting to run
ci / test (push) Waiting to run
ci / lint-and-format (push) Waiting to run
ci / build (push) Waiting to run
ci / dev-startup (push) Waiting to run
Cloud Gateway Discord / Test (push) Waiting to run
Cloud Gateway Webhook / Test (push) Waiting to run
Cloud Tests / lint-and-types (push) Waiting to run
Cloud Tests / unit-tests (push) Waiting to run
Cloud Tests / integration-tests (push) Waiting to run
Cloud Tests / e2e-tests (push) Blocked by required conditions
CodeQL Advanced / Analyze (javascript-typescript) (push) Waiting to run
Deploy Apps Worker (Product 2) / Determine environment (push) Waiting to run
Deploy Apps Worker (Product 2) / Deploy apps worker to apps-control host (${{ needs.determine-env.outputs.environment }}) (push) Blocked by required conditions
Deploy Eliza Provisioning Worker / Determine environment (push) Waiting to run
Deploy Eliza Provisioning Worker / Deploy worker to Hetzner host (${{ needs.determine-env.outputs.environment }} @ ${{ needs.determine-env.outputs.deployment_sha }}) (push) Blocked by required conditions
Dev Smoke / Classify changed paths (push) Waiting to run
Dev Smoke / bun run dev onboarding chat (push) Blocked by required conditions
Dev Smoke / Vite HMR dependency-level smoke (push) Blocked by required conditions
Electrobun Submodule Guard / electrobun gitlink is fetchable (push) Waiting to run
gitleaks / gitleaks (push) Waiting to run
Markdown Links / Relative Markdown Links (push) Waiting to run
Publish @elizaos/example-code / check_npm (push) Waiting to run
Publish @elizaos/example-code / publish_npm (push) Blocked by required conditions
Publish @elizaos/plugin-elizacloud / verify_version (push) Waiting to run
Publish @elizaos/plugin-elizacloud / publish_npm (push) Blocked by required conditions
Quality (Extended) / Homepage Build (PR smoke) (push) Waiting to run
Quality (Extended) / Comment-only diff guard (push) Waiting to run
Quality (Extended) / Format + Type Safety Ratchet (push) Waiting to run
Quality (Extended) / Develop Gate (secret scan + UI determinism) (push) Waiting to run
Quality (Extended) / Develop Gate (lint) (push) Waiting to run
Sandbox Live Smoke / Sandbox live smoke (push) Waiting to run
Snap Build & Test / Build Snap (amd64) (push) Waiting to run
Snap Build & Test / Build Snap (arm64) (push) Waiting to run
supply-chain / sbom (push) Waiting to run
supply-chain / vulnerability-scan (push) Waiting to run
Build, Push & Deploy to Phala Cloud / build-and-push (push) Waiting to run
Test Packaging / Validate Packaging Configs (push) Waiting to run
Test Packaging / PyPI on Python ${{ matrix.python }} (push) Waiting to run
Test Packaging / Pack & Test JS Tarballs (push) Waiting to run
Test Packaging / elizaos CLI global-install smoke (node + bun) (push) Waiting to run
UI Fixture E2E / ui-fixture-e2e (push) Waiting to run
UI Fixture E2E / fixture-e2e (push) Waiting to run
UI Story Gate / story-gate (push) Waiting to run
vault-ci / test (macos-latest) (push) Waiting to run
vault-ci / test (ubuntu-latest) (push) Waiting to run
vault-ci / test (windows-latest) (push) Waiting to run
vault-ci / app-core wiring tests (push) Waiting to run
verify-patches / verify patches/CHECKSUMS.sha256 (push) Waiting to run
Voice Benchmark Smoke / voice-emotion fixture smoke (push) Waiting to run
Voice Benchmark Smoke / voiceagentbench fixture smoke (push) Waiting to run
Voice Benchmark Smoke / voicebench-quality unit smoke (push) Waiting to run
Voice Benchmark Smoke / voicebench TypeScript unit (no audio) (push) Waiting to run
Voice Benchmark Smoke / voice bench smoke summary (push) Blocked by required conditions
Windows CI / windows ([bun run --cwd packages/app-core test bun run --cwd packages/elizaos test bun run --cwd packages/cloud/shared test], app-and-cli) (push) Waiting to run
Windows CI / windows ([bun run --cwd packages/scenario-runner test bun run --cwd packages/vault test bun run --cwd packages/security test bun run --cwd plugins/plugin-coding-tools test], framework-packages) (push) Waiting to run
Windows CI / windows ([bun run --cwd plugins/plugin-elizacloud test bun run --cwd plugins/plugin-discord test bun run --cwd plugins/plugin-anthropic test bun run --cwd plugins/plugin-openai test bun run --cwd plugins/plugin-app-control test bun run --cwd plugins/pl… (push) Waiting to run
Windows CI / windows ([node packages/scripts/run-turbo.mjs run build --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/agent --concurrency=4 node packages/scripts/run-bash-linux-only.mjs scripts/verify-riscv64-buildpaths.sh node packages/scripts/run… (push) Waiting to run
Windows CI / windows ([node packages/scripts/run-turbo.mjs run typecheck --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/cloud-shared --concurrency=4 bun run --cwd packages/core test bun run --cwd packages/shared test], core-runtime, 75) (push) Waiting to run
Test Packaging / Build & Test PyPI Package (push) Waiting to run
Voice Workbench / headless workbench (mocked backends) (push) Has been cancelled
Voice Workbench / real acoustic lane (nightly, provisioned only) (push) Has been cancelled
118 lines
5.5 KiB
YAML
118 lines
5.5 KiB
YAML
name: gitleaks
|
|
|
|
# SOC2 CC7.1 — automated secret scanning on every PR and push to protected
|
|
# branches. Fails the run on any finding. Configuration: .gitleaks.toml at
|
|
# repo root.
|
|
|
|
on:
|
|
pull_request:
|
|
branches: ["main", "develop"]
|
|
push:
|
|
branches: ["main", "develop"]
|
|
|
|
# cancel superseded in-flight runs for the same PR to free hosted-runner
|
|
# capacity. only cancels pull_request runs; push runs on protected branches
|
|
# (main/develop) are never cancelled mid-flight.
|
|
# CI fan-out fix: the PR-scoped concurrency from #14069 fell back to
|
|
# github.run_id on push, so every develop push got a unique group and
|
|
# nothing ever superseded. A 37-merge wave queued thousands of push runs
|
|
# and starved the self-hosted fleet. Fall back to github.ref (all develop
|
|
# pushes share a group) and cancel superseded runs on push too. PR behavior
|
|
# is unchanged (pull_request.number still wins the key); merge_group and
|
|
# schedule events are not in the cancel set, so the merge queue and nightly
|
|
# runs always complete.
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
|
|
cancel-in-progress: ${{ github.event_name == 'pull_request' || github.event_name == 'push' }}
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
gitleaks:
|
|
name: gitleaks
|
|
runs-on: ${{ fromJSON(vars.HETZNER_FLEET_ONLINE == 'false' && '["ubuntu-24.04"]' || '["self-hosted","hetzner-robot"]') }}
|
|
steps:
|
|
- name: Checkout
|
|
# actions/checkout@v4
|
|
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
|
|
with:
|
|
# Full history so gitleaks can scan the diff range on PRs.
|
|
fetch-depth: 0
|
|
|
|
- name: Install gitleaks (OSS binary — no license required)
|
|
# gitleaks/gitleaks-action@v2 requires a paid license for org repos.
|
|
# We download the OSS CLI directly so the scan remains free and
|
|
# honors our .gitleaks.toml allowlist + custom rules.
|
|
run: |
|
|
set -euo pipefail
|
|
GITLEAKS_VERSION=8.30.1
|
|
curl -sSL -o /tmp/gitleaks.tar.gz \
|
|
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
|
|
tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
|
|
# Install without sudo so this works on any runner (github-hosted or
|
|
# self-hosted, which has no passwordless sudo): write to a user-writable
|
|
# dir and add it to PATH for the run step, not `sudo install /usr/local/bin`.
|
|
mkdir -p "$HOME/.local/bin"
|
|
install -m 0755 /tmp/gitleaks "$HOME/.local/bin/gitleaks"
|
|
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
|
|
"$HOME/.local/bin/gitleaks" version
|
|
|
|
- name: Run gitleaks
|
|
env:
|
|
EVENT_NAME: ${{ github.event_name }}
|
|
PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
|
|
PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
|
|
BEFORE_SHA: ${{ github.event.before }}
|
|
CURRENT_SHA: ${{ github.sha }}
|
|
run: |
|
|
set -euo pipefail
|
|
RANGE_ARGS=()
|
|
if [[ "$EVENT_NAME" == "pull_request" ]]; then
|
|
RANGE_ARGS=(--log-opts "${PR_BASE_SHA}..${PR_HEAD_SHA}")
|
|
elif [[ -n "$BEFORE_SHA" && "$BEFORE_SHA" != "0000000000000000000000000000000000000000" ]]; then
|
|
RANGE_ARGS=(--log-opts "${BEFORE_SHA}..${CURRENT_SHA}")
|
|
elif ! git rev-parse -q --verify "${CURRENT_SHA}^" >/dev/null 2>&1; then
|
|
# Orphan/root tip commit: a squashed "clean baseline" release cut with
|
|
# no parent (the release process resets main/develop to a fresh root
|
|
# commit). `-1 <sha>` would diff it against the empty tree and re-flag
|
|
# every token-like string in the entire monorepo — generated docs
|
|
# dumps, benchmark fixtures, public chain addresses — the same
|
|
# full-history re-scan the tip-commit branch below exists to avoid, in
|
|
# its degenerate form. The baseline's content is a squash of develop
|
|
# commits each already scanned incrementally on their PR/push, so a
|
|
# full re-scan adds no coverage and only produces false-positive noise.
|
|
echo "gitleaks: tip ${CURRENT_SHA} is an orphan/root baseline commit (no parent);"
|
|
echo "its content was already scanned incrementally on develop. Skipping full-tree re-scan."
|
|
exit 0
|
|
else
|
|
# Push with no usable before-SHA (force-push, branch (re)creation, or
|
|
# an unknown range — common on main when it is reset/force-pushed).
|
|
# Scan only the tip commit, NOT the whole history: a full-history
|
|
# scan re-flags long-known historical artifacts (e.g. token-like
|
|
# strings inside vendored *.patch blobs) on every such push and costs
|
|
# ~8 min / 3 GB. New content still gets scanned via the PR range and
|
|
# this tip-commit scan; history is audited by the scheduled deep scan.
|
|
RANGE_ARGS=(--log-opts "-1 ${CURRENT_SHA}")
|
|
fi
|
|
|
|
gitleaks detect \
|
|
--config .gitleaks.toml \
|
|
--source . \
|
|
--verbose \
|
|
--redact \
|
|
--report-format sarif \
|
|
--report-path gitleaks.sarif \
|
|
--no-banner \
|
|
"${RANGE_ARGS[@]}"
|
|
|
|
- name: Upload SARIF
|
|
if: always()
|
|
# actions/upload-artifact@v7
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
|
|
with:
|
|
name: gitleaks-sarif
|
|
path: gitleaks.sarif
|
|
if-no-files-found: ignore
|
|
retention-days: 7
|