Use git clone for checkout, avoid GitHub dependency
This commit is contained in:
+13
-10
@@ -7,36 +7,39 @@ jobs:
|
||||
lint:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Checkout
|
||||
run: |
|
||||
git clone http://gitea:3000/jimmy/vps-oracle-jp.git .
|
||||
git checkout ${{ github.sha }}
|
||||
- name: Validate JSON
|
||||
run: python3 -c "import json; json.load(open('xray-config.json'))"
|
||||
- name: Validate YAML
|
||||
run: python3 -c "import yaml; yaml.safe_load(open('clash-meta.yaml'))"
|
||||
run: pip install pyyaml -q && python3 -c "import yaml; yaml.safe_load(open('clash-meta.yaml'))"
|
||||
|
||||
security:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Checkout
|
||||
run: |
|
||||
git clone http://gitea:3000/jimmy/vps-oracle-jp.git .
|
||||
git checkout ${{ github.sha }}
|
||||
- name: Check for secrets
|
||||
run: |
|
||||
FOUND=0
|
||||
# Check for private keys
|
||||
if grep -rE '-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----' --include='*.json' --include='*.yaml' --include='*.yml' --include='*.md' .; then
|
||||
echo "ERROR: Private key found in repo"
|
||||
FOUND=1
|
||||
fi
|
||||
# Check for passwords/tokens in plain text
|
||||
if grep -riE '(password|secret|token)\s*[:=]\s*["\x27]?[a-zA-Z0-9+/]{20,}' --include='*.json' --include='*.yaml' --include='*.yml' . | grep -v 'privateKey\|public-key'; then
|
||||
echo "WARNING: Possible secret found"
|
||||
FOUND=1
|
||||
fi
|
||||
exit $FOUND
|
||||
|
||||
deploy:
|
||||
needs: [lint, security]
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Checkout
|
||||
run: |
|
||||
git clone http://gitea:3000/jimmy/vps-oracle-jp.git .
|
||||
git checkout ${{ github.sha }}
|
||||
- name: Deploy xray config
|
||||
env:
|
||||
VPS_SSH_KEY: ${{ secrets.VPS_SSH_KEY }}
|
||||
|
||||
Reference in New Issue
Block a user