ci: enable git leaks to check sensitive (#11878)

* ci: enable git leaks to check sensitive * ci: remove the detect logic * ci: update logic
OfficeDev · Jun 24, 2024 · 15ff873 · 15ff873
1 parent 126ae1f
commit 15ff873
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 243 deletions.
diff --git a/.github/detect/excludes.txt b/.github/detect/excludes.txt
diff --git a/.github/detect/regexes.json b/.github/detect/regexes.json
diff --git a/.github/detect/sensitive-detect.py b/.github/detect/sensitive-detect.py
diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml
@@ -137,45 +137,16 @@ jobs:
           fi
 
   check-sensitive-content:
-    if: ${{ github.event_name == 'pull_request' }}
+    if: ${{ github.event_name == 'pull_request' || (github.event_name == 'schedule' && (github.ref == 'refs/heads/dev'|| github.ref == 'refs/heads/main'))}}
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout branch
-        uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.ref }}
-          repository: ${{github.event.pull_request.head.repo.full_name}}
-
-      - name: prettier check files in PR on Fork
-        if: ${{ github.event.pull_request.head.repo.full_name != 'OfficeDev/TeamsFx' }}
-        run: |
-          git remote add upstream https://github.com/OfficeDev/TeamsFx.git
-          git fetch upstream ${{ github.event.pull_request.base.ref }}
-          git diff --diff-filter=MARC upstream/${{ github.event.pull_request.base.ref }}...HEAD --name-only >> diffFiles.txt
-
-      - name: prettier check files in PR on local
-        if: ${{ github.event.pull_request.head.repo.full_name == 'OfficeDev/TeamsFx' }}
-        run: |
-          git diff --diff-filter=MARC origin/${{ github.event.pull_request.base.ref }}...HEAD --name-only >> diffFiles.txt
-
-      - name: check content
-        run: |
-          touch diffFiles.txt
-          python .github/detect/sensitive-detect.py diff
-
-  schedule-check-sensitive-content:
-    if: ${{ github.event_name == 'schedule' && (github.ref == 'refs/heads/dev'|| github.ref == 'refs/heads/main' || github.ref == 'refs/heads/ga') }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: checkout branch
-        uses: actions/checkout@v3
-        with:
-          token: ${{ secrets.CD_PAT }}
-          ref: ${{ github.ref }}
-      - name: check content
-        run: |
-          python .github/detect/sensitive-detect.py repo
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
 
   attension-on-version:
     if: ${{ github.event_name ==  'pull_request' && github.event.pull_request.base.ref == 'main' && github.event.action != 'edited' }}