-
Notifications
You must be signed in to change notification settings - Fork 315
/
Copy pathggshield.yaml
93 lines (80 loc) · 2.7 KB
/
ggshield.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
package:
name: ggshield
version: "1.37.0"
epoch: 0
description: Find and fix 360+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.
copyright:
- license: MIT
dependencies:
runtime:
- git
- py${{vars.py-version}}-certifi
- python-${{vars.py-version}}
vars:
py-version: 3.12
environment:
contents:
packages:
- build-base
- busybox
- ca-certificates-bundle
- coreutils
- curl
- openssf-compiler-options
# pinning build and runtime deps to 3.12 because pyinstaller version project is using doesn't work with 3.13 python.
- py${{vars.py-version}}-pip
- py${{vars.py-version}}-setuptools
- py${{vars.py-version}}-wheel
- python-${{vars.py-version}}
- wolfi-base
pipeline:
- uses: git-checkout
with:
repository: https://github.com/GitGuardian/ggshield
tag: v${{package.version}}
expected-commit: 7661befc3de373a22edd04c0d50af16cc82e1009
- runs: |
# Upstream switched to using pdm, installing using directions from https://pdm-project.org/en/latest/
curl -sSLO https://pdm-project.org/install-pdm.py
curl -sSL https://pdm-project.org/install-pdm.py.sha256 | sha256sum -c -
# Run the installer
python3 install-pdm.py
export PATH=/home/build/.local/bin:$PATH
# cryptography 44.0.2 (CVE-2024-12797 GHSA-79v4-65xg-pq4g) requires a
# higher minimum Python
sed -i 's/requires-python = ">=3.8.1"/requires-python = ">=3.12"/' pyproject.toml
sed -i 's/cryptography~=43.0.1/cryptography~=44.0.2/' pyproject.toml
pdm update cryptography # Regenerate lock file
# Install packages
# Based on directions from https://github.com/GitGuardian/ggshield/blob/v1.34.0/doc/dev/getting-started.md
pdm install --dev
pip3 install certifi -U # https://github.com/advisories/GHSA-xqr8-7jwr-rhp7
pdm build
pip3 install . --prefix=/usr --root="${{targets.destdir}}"
# Cleanup
find ${{targets.destdir}} -name "*.pyc" -exec rm -rf '{}' +
- uses: strip
update:
enabled: true
github:
identifier: GitGuardian/ggshield
use-tag: true
strip-prefix: v
test:
pipeline:
- name: Check ggshield version
runs: |
ggshield --version
cmark --help
dotenv --version
dotenv --help
ggshield --help
normalizer --version
normalizer --help
pygmentize -v
pygmentize --help
- name: Check ggshield API status without API key
runs: |
output=$(ggshield api-status 2>&1 || true)
echo "$output" | grep "Error: A GitGuardian API key is needed to use ggshield."
- uses: test/tw/ldd-check