[codex] Run dependency review only for pull requests #12
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Secret scanning workflow using gitleaks | |
| # Detects secrets committed to the repository and fails the build | |
| # | |
| # For more information on gitleaks, see: https://github.com/gitleaks/gitleaks | |
| name: Secret Scanning | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| permissions: | |
| contents: read | |
| jobs: | |
| gitleaks: | |
| name: Gitleaks | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run gitleaks on pull request commits | |
| if: github.event_name == 'pull_request' | |
| uses: docker://zricethezav/gitleaks:v8.30.0 | |
| with: | |
| args: detect --source . --redact --report-format sarif --report-path gitleaks.sarif --exit-code 1 --log-opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} | |
| - name: Run gitleaks on pushed commits | |
| if: github.event_name == 'push' | |
| uses: docker://zricethezav/gitleaks:v8.30.0 | |
| with: | |
| args: detect --source . --redact --report-format sarif --report-path gitleaks.sarif --exit-code 1 --log-opts=${{ github.event.before }}..${{ github.sha }} | |
| - name: Upload SARIF results | |
| if: always() && hashFiles('gitleaks.sarif') != '' | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: gitleaks.sarif | |
| category: gitleaks |