mirror of
https://github.com/we-promise/sure.git
synced 2026-07-15 06:15:20 +00:00
- Remove .github/workflows/ci.yml and .github/workflows/llm-evals.yml from pipelock exclude-paths — both already have inline # pipelock:ignore markers - Keep Dockerfile.preview with inline explanation: uses local dev creds (rails/rails) and Dockerfile syntax can't use # pipelock:ignore markers
36 lines
1.0 KiB
YAML
36 lines
1.0 KiB
YAML
name: Pipelock Security Scan
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
security-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
|
|
- name: Pipelock Scan
|
|
uses: luckyPipewrench/pipelock@cef4f47eb99ffe00e20fa7d1423bff1a44742dbe # v2.4.0
|
|
with:
|
|
scan-diff: 'true'
|
|
fail-on-findings: 'true'
|
|
test-vectors: 'false'
|
|
exclude-paths: |
|
|
.env.example
|
|
compose.example.yml
|
|
compose.example.ai.yml
|
|
config/locales/views/reports/
|
|
docs/hosting/ai.md
|
|
app/models/provider/binance.rb
|
|
workers/preview/package-lock.json
|
|
# Preview Dockerfile uses local dev credentials (rails/rails) that are
|
|
# not real secrets; Dockerfile format does not support inline # pipelock:ignore
|
|
Dockerfile.preview
|