Sync Secret Scanning data #85
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Sync Secret Scanning data | |
# **What it does**: This updates the data used by the secret scanning patterns page. | |
# **Why we have it**: To automate updates to the secret scanning pattern data in our public-facing documentation. | |
# **Who does it impact**: Docs engineering, content writers. | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: '20 16 * * *' # Run every day at 16:20 UTC / 8:22 PST | |
permissions: | |
contents: write | |
pull-requests: write | |
# This allows a subsequently queued workflow run to interrupt previous runs | |
concurrency: | |
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' | |
cancel-in-progress: true | |
jobs: | |
update-secret-scanning-file: | |
if: github.repository == 'github/docs-internal' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: ./.github/actions/node-npm-setup | |
- name: Sync secret scanning data | |
id: secret-scanning-sync | |
env: | |
# need to use a token from a user with access to | |
# github/token-scanning-service for this step | |
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} | |
run: | | |
npm run sync-secret-scanning | |
- name: Create a pull request | |
env: | |
# Needed for gh | |
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} | |
run: | | |
# If nothing to commit, exit now. It's fine. | |
changes=$(git diff --name-only | wc -l) | |
untracked=$(git status --untracked-files --short | wc -l) | |
if [[ $changes -eq 0 ]] && [[ $untracked -eq 0 ]]; then | |
echo "There are no changes to commit. Exiting..." | |
exit 0 | |
fi | |
git config --global user.name "docs-bot" | |
git config --global user.email "77750099+docs-bot@users.noreply.github.com" | |
branchname=sync-secret-scanning-${{ steps.secret-scanning-sync.outputs.sha }} | |
remotesha=$(git ls-remote --heads origin $branchname) | |
if [ -n "$remotesha" ]; then | |
# output is not empty, it means the remote branch exists | |
echo "Branch $branchname already exists in 'github/docs-internal'. Exiting..." | |
exit 0 | |
fi | |
git checkout -b $branchname | |
git add . | |
git commit -m "Add updated secret scanning data" | |
git push origin $branchname | |
echo "Creating pull request..." | |
gh pr create \ | |
--title "Sync secret scanning data" \ | |
--body '👋 humans. This PR updates the secret scanning data with the latest changes from github/token-scanning-service. | |
/cc @github/docs-content-security-products | |
If CI does not pass or other problems arise, contact #docs-engineering on Slack.' \ | |
--repo github/docs-internal \ | |
--label secret-scanning-pipeline,'skip FR board',ready-for-doc-review | |
- uses: ./.github/actions/slack-alert | |
if: ${{ failure() && github.event_name != 'workflow_dispatch' }} | |
with: | |
slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} | |
slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }} |