ci: ignore known historical gitleaks fingerprints in protocol #33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Consent Protocol CI" | |
| on: | |
| push: | |
| branches: ["**"] | |
| pull_request: | |
| branches: ["**"] | |
| merge_group: | |
| branches: [main] | |
| workflow_dispatch: {} | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ci-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| PYTHON_VERSION: "3.13" | |
| GITLEAKS_VERSION: "8.24.2" | |
| jobs: | |
| # ============================================================================ | |
| # Secret scan: gitleaks OSS CLI (license-free) | |
| # ============================================================================ | |
| secret-scan: | |
| name: "Secret Scan" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install gitleaks OSS CLI (license-free) | |
| run: | | |
| curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${{ env.GITLEAKS_VERSION }}/gitleaks_${{ env.GITLEAKS_VERSION }}_linux_x64.tar.gz" \ | |
| | tar -xz | |
| sudo mv gitleaks /usr/local/bin/gitleaks | |
| gitleaks version | |
| - name: Resolve scan commit range | |
| id: scan-range | |
| shell: bash | |
| run: | | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| LOG_OPTS="--ancestry-path ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}" | |
| elif [ "${{ github.event_name }}" = "push" ] && [ "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]; then | |
| if git merge-base --is-ancestor "${{ github.event.before }}" "${{ github.sha }}"; then | |
| LOG_OPTS="--ancestry-path ${{ github.event.before }}..${{ github.sha }}" | |
| else | |
| # Force-push/history-rewrite event: before SHA is no longer ancestor. | |
| LOG_OPTS="${{ github.sha }}" | |
| fi | |
| elif [ "${{ github.event_name }}" = "push" ]; then | |
| DEFAULT_BRANCH="${{ github.event.repository.default_branch }}" | |
| git fetch origin "$DEFAULT_BRANCH" --quiet || true | |
| if git rev-parse "origin/$DEFAULT_BRANCH" >/dev/null 2>&1; then | |
| LOG_OPTS="--ancestry-path origin/$DEFAULT_BRANCH..${{ github.sha }}" | |
| else | |
| LOG_OPTS="${{ github.sha }}" | |
| fi | |
| else | |
| LOG_OPTS="${{ github.sha }}" | |
| fi | |
| echo "log_opts=$LOG_OPTS" >> "$GITHUB_OUTPUT" | |
| - name: Run gitleaks scan | |
| run: gitleaks git --redact --no-banner --exit-code 1 --log-opts="${{ steps.scan-range.outputs.log_opts }}" | |
| # ============================================================================ | |
| # Backend checks (single source of truth script) | |
| # ============================================================================ | |
| backend-check: | |
| name: "Backend Check" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: "pip" | |
| cache-dependency-path: requirements.txt | |
| - name: Run backend check script | |
| run: bash scripts/ci/backend-check.sh | |
| env: | |
| TESTING: "true" | |
| SECRET_KEY: "test_secret_key_for_ci_only_32chars_min" | |
| VAULT_ENCRYPTION_KEY: "0000000000000000000000000000000000000000000000000000000000000000" | |
| MCP_DEVELOPER_TOKEN: "test_mcp_developer_token_for_ci" | |
| ci-status: | |
| name: "CI Status Gate" | |
| needs: | |
| - secret-scan | |
| - backend-check | |
| if: always() | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Validate job outcomes | |
| shell: bash | |
| run: | | |
| SECRET_SCAN="${{ needs['secret-scan'].result }}" | |
| BACKEND_CHECK="${{ needs['backend-check'].result }}" | |
| printf 'secret-scan=%s\n' "$SECRET_SCAN" | |
| printf 'backend-check=%s\n' "$BACKEND_CHECK" | |
| fail=0 | |
| for result in "$SECRET_SCAN" "$BACKEND_CHECK"; do | |
| if [ "$result" = "failure" ] || [ "$result" = "cancelled" ] || [ "$result" = "timed_out" ]; then | |
| fail=1 | |
| fi | |
| done | |
| if [ "$fail" -ne 0 ]; then | |
| echo "One or more CI jobs failed." | |
| exit 1 | |
| fi | |
| echo "All required CI jobs passed." |