txtcode/.github/workflows/security.yml at main · IMvision12/txtcode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
name: Security Scan

on:
  pull_request:
    branches: [main, master]

jobs:
  secrets:
    name: Detect Secrets
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "20"

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Install detect-secrets
        run: |
          python -m pip install --upgrade pip
          python -m pip install detect-secrets==1.5.0

      - name: Detect secrets
        run: |
          if ! python -m detect_secrets scan --baseline .secrets.baseline \
            --exclude-files "(^|/)(dist/|node_modules/|package-lock\.json$|\.detect-secrets\.cfg$)" \
            --exclude-lines "AI_API_KEY=|OPENROUTER_API_KEY=|CLAUDE_MODEL=|GEMINI_MODEL=|apiKey:|botToken:|apiKeyEnv:|\"apiKeyEnv\"|=== \"string\""; then
            echo "::error::Secret scanning failed. Run 'python -m detect_secrets audit .secrets.baseline' to review findings."
            exit 1
          fi