From a8bf710c031227ab9dbd53c8959fee488532482e Mon Sep 17 00:00:00 2001
From: Guilherme Branco Stracini <guilherme@guilhermebranco.com.br>
Date: Wed, 19 Jun 2024 00:42:09 +0100
Subject: [PATCH] Create infisical-secrets-check.yml (#224)

---
 .github/workflows/infisical-secrets-check.yml | 75 +++++++++++++++++++
 1 file changed, 75 insertions(+)
 create mode 100644 .github/workflows/infisical-secrets-check.yml

diff --git a/.github/workflows/infisical-secrets-check.yml b/.github/workflows/infisical-secrets-check.yml
new file mode 100644
index 0000000..30da5ce
--- /dev/null
+++ b/.github/workflows/infisical-secrets-check.yml
@@ -0,0 +1,75 @@
+name: Infisical secrets check
+
+on:
+  workflow_dispatch:
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  
+  secrets-scan:
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set Infisical package source
+        shell: bash
+        run: curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash
+      
+      - name: Install Infisical
+        shell: bash
+        run: | 
+          sudo apt-get update && sudo apt-get install -y infisical
+      
+      - name: Run scan
+        shell: bash
+        run: infisical scan --redact -f csv -r secrets-result.csv 2>&1 | tee secrets-result.log
+
+      - name: Read secrets-result.log
+        uses: guibranco/github-file-reader-action-v2@v2.1.535
+        if: always()
+        id: log
+        with:
+         path: secrets-result.log
+
+      - name: Read secrets-result.log
+        uses: guibranco/github-file-reader-action-v2@v2.1.535
+        if: failure()
+        id: report
+        with:
+         path: secrets-result.csv
+
+      - name: Update PR with comment
+        uses: mshick/add-pr-comment@v2
+        if: always()
+        with:
+          refresh-message-position: true
+          message-id: 'secrets-result'
+          message: |
+            **Infisical secrets check:** :white_check_mark: No secrets leaked!
+
+            **Scan results:**
+            ```
+            ${{ steps.log.outputs.contents }}
+            ```
+
+          message-failure: |
+            **Infisical secrets check:** :rotating_light: Secrets leaked!.     
+            
+            **Scan results:**
+            ```
+            ${{ steps.log.outputs.contents }}
+            ```
+            **Scan report:**
+            ```
+            ${{ steps.report.outputs.contents }}
+            ```
+          message-cancelled: |
+            **Infisical secrets check:** :o: Secrets check cancelled!.