File tree 1 file changed +11
-18
lines changed
1 file changed +11
-18
lines changed Original file line number Diff line number Diff line change 1010 - cron : ' 0 4 * * *'
1111
1212permissions :
13- actions : write # Needed for skip-duplicate-jobs job
1413 contents : read
1514
1615jobs :
17- # Special job which automatically cancels old runs for the same branch, prevents runs for the
18- # same file set which has already passed, etc.
19- pre_job :
20- name : Skip Duplicate Jobs Pre Job
21- runs-on : ubuntu-latest
22- outputs :
23- should_skip : ${{ steps.skip_check.outputs.should_skip }}
24- steps :
25- - id : skip_check
26- uses : fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281 # v5.3.0
27- with :
28- cancel_others : ' true'
29- github_token : ${{ github.token }}
30-
3116 TruffleHog :
3217 runs-on : ubuntu-latest
33- needs : pre_job
34- if : ${{ needs.pre_job.outputs.should_skip != 'true' || github.ref_name == 'master' }}
3518
3619 steps :
3720 - name : Checkout code
3821 uses : actions/checkout@v3
3922 with :
4023 fetch-depth : 0
4124
25+ # Special check which ensures that the clone performed above is not shallow. We need the
26+ # complete git history for scanning to work correctly in all the situations. In some cases
27+ # if a shallow clone is used, trufflehog won't not fail with an error, but it would simply
28+ # not detect any files and that could be dangerous.
29+ - name : Shallow repo check
30+ run : |
31+ if git rev-parse --is-shallow-repository | grep -q "true"; then
32+ echo "Encountered a shallow repository, trufflehog may not work as expected!"
33+ exit 1
34+ fi
35+
4236name : scan-pr
4337 uses : trufflesecurity/trufflehog@main
4438 if : ${{ github.event_name == 'pull_request' }}
4741 base : ${{ github.event.repository.default_branch }}
4842 head : HEAD
4943 extra_args : --debug --only-verified
50- --exclude-paths=${{ inputs.exclude-paths }}
5144
5245 - name : scan-push
5346 uses : trufflesecurity/trufflehog@main
You can’t perform that action at this time.
0 commit comments