fix: verify-onboarding-deploy handles HTTP 403 without curl -f #241
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret Guard | |
| on: | |
| push: | |
| branches: [main, master] | |
| pull_request: | |
| branches: [main, master] | |
| jobs: | |
| scan-secrets: | |
| name: Scan for leaked secrets & PII | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run TruffleHog | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| extra_args: --only-verified | |
| scan-custom-patterns: | |
| name: Scan for internal infrastructure leaks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Check for Tailscale / internal IPs | |
| run: | | |
| set -e | |
| PATTERNS='100\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3}' | |
| MATCHES=$(git grep -nE "$PATTERNS" -- '*.md' '*.ts' '*.tsx' '*.js' '*.json' '*.yaml' '*.yml' '*.sh' '*.py' | grep -v '^.github/workflows/secret-guard.yml:' || true) | |
| if [ -n "$MATCHES" ]; then | |
| echo "❌ INTERNAL IP ADDRESSES DETECTED:" | |
| echo "$MATCHES" | |
| exit 1 | |
| fi | |
| echo "✅ No internal IPs found" | |
| - name: Check for real usernames in paths | |
| run: | | |
| set -e | |
| # Block real home directories while allowing documented placeholders. | |
| MAC_HOME='/Users/' | |
| LINUX_HOME='/home/' | |
| PATTERNS="${MAC_HOME}[^/]+/|${LINUX_HOME}[^/]+/" | |
| MATCHES=$(git grep -nE "$PATTERNS" -- '*.md' '*.ts' '*.tsx' '*.js' '*.json' '*.yaml' '*.yml' '*.sh' '*.py' \ | |
| | grep -v '^.github/workflows/secret-guard.yml:' \ | |
| | grep -v '^\.planning/' \ | |
| | grep -vE '(/Users/yourname/|/Users/USERNAME/|/Users/\$USER/|/home/yourname/|/home/USERNAME/|/home/\$USER/)' \ | |
| || true) | |
| if [ -n "$MATCHES" ]; then | |
| echo "❌ REAL USERNAME PATHS DETECTED:" | |
| echo "$MATCHES" | |
| exit 1 | |
| fi | |
| echo "✅ No real username paths found" | |
| - name: Check for internal domains | |
| run: | | |
| set -e | |
| # Add your own internal domains here | |
| BLOCKLIST='epiloguecapital|your-internal-domain-here' | |
| MATCHES=$(git grep -niE "$BLOCKLIST" -- '*.md' '*.ts' '*.tsx' '*.js' '*.json' '*.yaml' '*.yml' '*.sh' '*.py' | grep -v '^.github/workflows/secret-guard.yml:' || true) | |
| if [ -n "$MATCHES" ]; then | |
| echo "❌ INTERNAL DOMAINS DETECTED:" | |
| echo "$MATCHES" | |
| exit 1 | |
| fi | |
| echo "✅ No internal domains found" | |
| - name: Check for .env.local commits | |
| run: | | |
| set -e | |
| if git ls-files | grep -Eq '(^|/)\.env\.local$'; then | |
| echo "❌ .env.local is committed anywhere in the repo — move secrets to .env.example with placeholders" | |
| exit 1 | |
| fi | |
| echo "✅ No .env.local in git" | |
| scan-filenames: | |
| name: Scan for suspicious filenames | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Check for credential files | |
| run: | | |
| set -e | |
| SUSPICIOUS=$(git ls-files | grep -iE '\.pem$|\.key$|\.p12$|\.pfx$|id_rsa|id_ed25519|credentials\.json|service-account.*\.json' || true) | |
| if [ -n "$SUSPICIOUS" ]; then | |
| echo "❌ SUSPICIOUS FILES DETECTED:" | |
| echo "$SUSPICIOUS" | |
| exit 1 | |
| fi | |
| echo "✅ No credential files in git" |