label-studio.git

name: "Gitleaks"
 
on:
  workflow_call:
    inputs:
      head_sha:
        required: true
        type: string
      base_sha:
        required: true
        type: string
      version:
        required: false
        type: string
        default: "latest"
 
env:
  ACTIONS_STEP_DEBUG: '${{ secrets.ACTIONS_STEP_DEBUG }}'
 
 
jobs:
  gitleaks:
    name: "Gitleaks"
    runs-on: ubuntu-latest
    steps:
      - uses: hmarr/debug-action@v3.0.0
 
      - name: install
        shell: bash
        run: |
          set -euo pipefail
          arch="$(uname)_$(uname -m)"
          platform=$(echo $arch | tr '[:upper:]' '[:lower:]' )
          echo "PLATFORM=$platform" >> $GITHUB_ENV
          if [[ "${{ inputs.version }}" == "latest" ]]; then
            echo "GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | jq -r .tag_name | sed 's/^v//')" >> $GITHUB_ENV
          else
            echo "GITLEAKS_VERSION=${{ inputs.version }}" >> $GITHUB_ENV
          fi
 
      - name: Cache gitleaks archive
        id: cache_gitleaks
        uses: actions/cache@v5
        with:
          path: /usr/local/bin/gitleaks
          key: gitleaks-${{ env.PLATFORM }}-${{ env.GITLEAKS_VERSION }}
 
      - name: Download and configure gitleaks
        shell: bash
        run: |
          set -euo pipefail
          if [[ "${{ steps.cache_gitleaks.outputs.cache-hit }}" != "true" ]]; then
            DOWNLOAD_URL="https://github.com/gitleaks/gitleaks/releases/download/v${{ env.GITLEAKS_VERSION }}/gitleaks_${{ env.GITLEAKS_VERSION }}_linux_x64.tar.gz"
            echo "Download Gitleaks ${{ env.GITLEAKS_VERSION }} for ${{ env.PLATFORM }} from ${DOWNLOAD_URL}"
            curl -fsSL "$DOWNLOAD_URL" | tar xzf - -C /usr/local/bin
          fi
          chmod +x /usr/local/bin/gitleaks
 
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 2147483647
          ref: ${{ inputs.head_sha }}
 
      - name: Run gitleaks
        run: |
          set -euo pipefail ${ACTIONS_STEP_DEBUG:+-x}
 
          gitleaks \
            detect \
            --source="." \
            --redact \
            -v \
            --exit-code=2 \
            --report-format=sarif \
            --report-path=results.sarif \
            --log-level=debug \
            --log-opts='${{ inputs.base_sha }}..${{ inputs.head_sha }}'
 
      - name: Upload test results
        if: failure()
        uses: actions/upload-artifact@v6
        with:
          name: GitLeaks results
          path: results.sarif