mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-05-05 15:23:27 +00:00
07afa94d19
Add three layers of secret leak prevention: 1. .gitleaks.toml — config extending the default ruleset (~150 rules for AWS, GCP, Stripe, OpenAI, private keys, JWTs, etc.) with allowlists tuned to suppress false positives from test fixtures and docs. 2. .husky/pre-commit — enhanced with gitleaks protect --staged (graceful skip if not installed), sensitive file type blocking (.pem, .key, .enc, id_rsa, etc.), and broadened fallback patterns covering AWS, OpenAI, GCP, and private key headers alongside existing Stripe checks. 3. .github/workflows/build-and-test.yml — new secret-scan CI job using gitleaks-action that runs in parallel with build on every push/PR, serving as the last gate if someone bypasses local hooks.
78 lines
1.7 KiB
YAML
78 lines
1.7 KiB
YAML
name: Build and Test
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
secret-scan:
|
|
name: Secret Scan
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Run gitleaks
|
|
uses: gitleaks/gitleaks-action@v2
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
build:
|
|
name: Frontend & Backend
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
FRONTEND_DIR: frontend-modern
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '20'
|
|
cache: npm
|
|
cache-dependency-path: frontend-modern/package-lock.json
|
|
|
|
- name: Install frontend dependencies
|
|
working-directory: frontend-modern
|
|
run: npm ci
|
|
|
|
- name: Lint frontend
|
|
working-directory: frontend-modern
|
|
run: npm run lint
|
|
|
|
- name: Frontend unit tests
|
|
working-directory: frontend-modern
|
|
run: npm run test
|
|
|
|
- name: Type-check frontend
|
|
working-directory: frontend-modern
|
|
run: npm run type-check
|
|
|
|
- name: Build frontend bundle (with embed copy)
|
|
run: make frontend
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v5
|
|
with:
|
|
go-version-file: go.mod
|
|
cache: true
|
|
|
|
- name: Go unit tests
|
|
env:
|
|
PULSE_DATA_DIR: /tmp/pulse-test-data
|
|
run: go test ./...
|
|
|
|
- name: Build Pulse backend
|
|
run: go build ./cmd/pulse
|
|
|
|
- name: Build pulse-sensor-proxy
|
|
run: go build ./cmd/pulse-sensor-proxy
|