From 423562ab897532d35f380de5fe7a094e027ad29b Mon Sep 17 00:00:00 2001 From: Philipp Langer Date: Tue, 7 Oct 2025 15:20:51 +0200 Subject: [PATCH 1/4] ci: move secret-scan to self-hosted runners --- .github/workflows/ci-standard-checks-workflow.yaml | 7 ++++++- shared-actions/secrets-scan/secrets-scan.sh | 8 ++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci-standard-checks-workflow.yaml b/.github/workflows/ci-standard-checks-workflow.yaml index 370c096..4de64a7 100644 --- a/.github/workflows/ci-standard-checks-workflow.yaml +++ b/.github/workflows/ci-standard-checks-workflow.yaml @@ -18,10 +18,15 @@ on: required: false default: false description: 'whether to use Typeform/ci-standard-checks@v1-beta' + runner: + description: "Self-hosted GHA runner" + type: string + required: false + default: "ci-base" jobs: ci-standard-checks: - runs-on: 'ubuntu-latest' + runs-on: [self-hosted, "${{ inputs.runner }}"] steps: - name: Check Out Source Code uses: actions/checkout@v5 diff --git a/shared-actions/secrets-scan/secrets-scan.sh b/shared-actions/secrets-scan/secrets-scan.sh index 8526339..4fda8cf 100755 --- a/shared-actions/secrets-scan/secrets-scan.sh +++ b/shared-actions/secrets-scan/secrets-scan.sh @@ -10,9 +10,9 @@ then exit 1 fi -# Check if user is logged in to quay.io -DOCKER_REGISTRY=quay.io -docker pull ${DOCKER_REGISTRY}/typeform/gitleaks-config +# Check if user is logged in to ECR +DOCKER_REGISTRY=567716553783.dkr.ecr.us-east-1.amazonaws.com +docker pull ${DOCKER_REGISTRY}/gitleaks-config exit_code=$? if [ ! $exit_code -eq 0 ]; then @@ -30,7 +30,7 @@ mkdir -p $tmp_dir local_config=".gitleaks.toml" final_config="$tmp_dir/gitleaks_config.toml" commits_file="$tmp_dir/commit_list.txt" -gitleaks_config_container="${DOCKER_REGISTRY}/typeform/gitleaks-config" +gitleaks_config_container="${DOCKER_REGISTRY}/gitleaks-config" gitleaks_container="zricethezav/gitleaks" gitleaks_version="v7.2.0" From 24ae7859ea9db25e9daa149d9adfeeb92ebba094 Mon Sep 17 00:00:00 2001 From: Philipp Langer Date: Tue, 7 Oct 2025 17:38:52 +0200 Subject: [PATCH 2/4] bump --- .github/workflows/ci-standard-checks-workflow.yaml | 4 ++-- shared-actions/secrets-scan/action.yml | 6 ------ 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci-standard-checks-workflow.yaml b/.github/workflows/ci-standard-checks-workflow.yaml index 4de64a7..b66448d 100644 --- a/.github/workflows/ci-standard-checks-workflow.yaml +++ b/.github/workflows/ci-standard-checks-workflow.yaml @@ -35,14 +35,14 @@ jobs: - uses: actions/setup-node@v5 with: node-version: 20 - - name: CI Standard Checks + - name: CI Standard Checks # bump if: ${{ inputs.useBeta == false }} uses: Typeform/ci-standard-checks@v1 with: githubToken: ${{ secrets.GITHUB_TOKEN }} skipChecks: ${{ inputs.skipChecks }} enableChecks: ${{ inputs.enableChecks }} - - name: CI Standard Checks @v1-beta + - name: CI Standard Checks @v1-beta # bump if: ${{ inputs.useBeta == true }} uses: Typeform/ci-standard-checks@v1-beta with: diff --git a/shared-actions/secrets-scan/action.yml b/shared-actions/secrets-scan/action.yml index b8bdc20..8d3ad4d 100644 --- a/shared-actions/secrets-scan/action.yml +++ b/shared-actions/secrets-scan/action.yml @@ -16,13 +16,7 @@ inputs: runs: using: "composite" steps: - - run: docker login -u=${{ inputs.docker-username }} -p=${{ inputs.docker-password }} ${{ inputs.docker-registry}} - shell: bash - - run: ${{ github.action_path }}/secrets-scan.sh env: - DOCKER_REGISTRY: ${{ inputs.docker-registry }} - DOCKER_USERNAME: ${{ inputs.docker-username }} - DOCKER_PASSWORD: ${{ inputs.docker-password }} GH_TOKEN: ${{ inputs.gh-token }} shell: bash From 06e3389130a83cc9db134d88f35b25b1c7d48e43 Mon Sep 17 00:00:00 2001 From: Philipp Langer Date: Tue, 7 Oct 2025 17:46:25 +0200 Subject: [PATCH 3/4] fix: bump --- .github/workflows/ci-standard-checks-workflow.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-standard-checks-workflow.yaml b/.github/workflows/ci-standard-checks-workflow.yaml index b66448d..3efeecb 100644 --- a/.github/workflows/ci-standard-checks-workflow.yaml +++ b/.github/workflows/ci-standard-checks-workflow.yaml @@ -35,14 +35,14 @@ jobs: - uses: actions/setup-node@v5 with: node-version: 20 - - name: CI Standard Checks # bump + - name: CI Standard Checks # bump2 if: ${{ inputs.useBeta == false }} uses: Typeform/ci-standard-checks@v1 with: githubToken: ${{ secrets.GITHUB_TOKEN }} skipChecks: ${{ inputs.skipChecks }} enableChecks: ${{ inputs.enableChecks }} - - name: CI Standard Checks @v1-beta # bump + - name: CI Standard Checks @v1-beta # bump2 if: ${{ inputs.useBeta == true }} uses: Typeform/ci-standard-checks@v1-beta with: From dcf6bf55c581cd7088035272a71475964430602b Mon Sep 17 00:00:00 2001 From: Philipp Langer Date: Tue, 7 Oct 2025 18:02:00 +0200 Subject: [PATCH 4/4] bump --- .github/workflows/ci-standard-checks-workflow.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-standard-checks-workflow.yaml b/.github/workflows/ci-standard-checks-workflow.yaml index 3efeecb..57b75b4 100644 --- a/.github/workflows/ci-standard-checks-workflow.yaml +++ b/.github/workflows/ci-standard-checks-workflow.yaml @@ -35,14 +35,14 @@ jobs: - uses: actions/setup-node@v5 with: node-version: 20 - - name: CI Standard Checks # bump2 + - name: CI Standard Checks # bump3 if: ${{ inputs.useBeta == false }} uses: Typeform/ci-standard-checks@v1 with: githubToken: ${{ secrets.GITHUB_TOKEN }} skipChecks: ${{ inputs.skipChecks }} enableChecks: ${{ inputs.enableChecks }} - - name: CI Standard Checks @v1-beta # bump2 + - name: CI Standard Checks @v1-beta # bump3 if: ${{ inputs.useBeta == true }} uses: Typeform/ci-standard-checks@v1-beta with: