This is an automated email from the ASF dual-hosted git repository.
kirs pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new 8b0332976e1 [improvement](build) Add Gitleaks PR workflow (#61987)
8b0332976e1 is described below
commit 8b0332976e1584064a8ddb7284f158f78a82d48a
Author: Calvin Kirs <[email protected]>
AuthorDate: Thu Apr 2 10:22:36 2026 +0800
[improvement](build) Add Gitleaks PR workflow (#61987)
### What problem does this PR solve?
Issue Number: None
Related PR: None
Problem Summary: Add a dedicated pull request workflow to scan
repository contents for leaked secrets with Gitleaks.
### Release note
None
### Check List (For Author)
- Test: Manual test
- Validated workflow YAML parses successfully with python3 + PyYAML
- Behavior changed: Yes (adds a PR secret scan workflow)
- Does this need documentation: No
### What problem does this PR solve?
---
.github/workflows/gitleaks-pr-check.yml | 86 +++++++++++++++++++++++++++++++++
1 file changed, 86 insertions(+)
diff --git a/.github/workflows/gitleaks-pr-check.yml
b/.github/workflows/gitleaks-pr-check.yml
new file mode 100644
index 00000000000..9ac7991a957
--- /dev/null
+++ b/.github/workflows/gitleaks-pr-check.yml
@@ -0,0 +1,86 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+---
+name: Gitleaks PR Check
+
+on:
+ pull_request:
+
+permissions:
+ contents: read
+
+jobs:
+ gitleaks:
+ name: Check for secrets
+ runs-on: ubuntu-latest
+ env:
+ GITLEAKS_VERSION: 8.30.0
+ GITLEAKS_SHA256:
79a3ab579b53f71efd634f3aaf7e04a0fa0cf206b7ed434638d1547a2470a66e
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 0
+ persist-credentials: false
+
+ - name: Install Gitleaks
+ run: |
+ curl -sSL \
+ -o /tmp/gitleaks.tar.gz \
+
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz";
+ echo "${GITLEAKS_SHA256} /tmp/gitleaks.tar.gz" | sha256sum -c -
+ tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
+ chmod +x /tmp/gitleaks
+
+ - name: Run Gitleaks
+ env:
+ BASE_SHA: ${{ github.event.pull_request.base.sha }}
+ HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+ run: |
+ /tmp/gitleaks git . \
+ --redact \
+ --log-opts="--no-merges ${BASE_SHA}..${HEAD_SHA}" \
+ --report-format json \
+ --report-path gitleaks-report.json
+
+ - name: Summarize Gitleaks findings
+ if: always() && hashFiles('gitleaks-report.json') != ''
+ run: |
+ python3 - <<'PY'
+ import json
+ from pathlib import Path
+
+ findings = json.loads(Path("gitleaks-report.json").read_text())
+ print(f"gitleaks findings: {len(findings)}")
+ for finding in findings[:20]:
+ rule_id = finding.get("RuleID", "unknown-rule")
+ file_name = finding.get("File", "unknown-file")
+ line = finding.get("StartLine", "?")
+ description = finding.get("Description", "")
+ print(f"- {rule_id} {file_name}:{line} {description}")
+ if len(findings) > 20:
+ print(f"... {len(findings) - 20} more findings in
gitleaks-report.json")
+ PY
+
+ - name: Upload Gitleaks report
+ if: always() && hashFiles('gitleaks-report.json') != ''
+ uses: actions/upload-artifact@v4
+ with:
+ name: gitleaks-report
+ path: gitleaks-report.json
+ if-no-files-found: error
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
