Files
sure/.github/workflows/pipelock.yml
DataEnginr 9bbb0e7b32 Remove redundant pipelock exclusions, document Dockerfile.preview exclusion
- Remove .github/workflows/ci.yml and .github/workflows/llm-evals.yml from
  pipelock exclude-paths — both already have inline # pipelock:ignore markers
- Keep Dockerfile.preview with inline explanation: uses local dev creds
  (rails/rails) and Dockerfile syntax can't use # pipelock:ignore markers
2026-06-15 09:29:06 +00:00

36 lines
1.0 KiB
YAML

name: Pipelock Security Scan
on:
pull_request:
branches: [main]
permissions:
contents: read
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
fetch-depth: 0
persist-credentials: false
- name: Pipelock Scan
uses: luckyPipewrench/pipelock@cef4f47eb99ffe00e20fa7d1423bff1a44742dbe # v2.4.0
with:
scan-diff: 'true'
fail-on-findings: 'true'
test-vectors: 'false'
exclude-paths: |
.env.example
compose.example.yml
compose.example.ai.yml
config/locales/views/reports/
docs/hosting/ai.md
app/models/provider/binance.rb
workers/preview/package-lock.json
# Preview Dockerfile uses local dev credentials (rails/rails) that are
# not real secrets; Dockerfile format does not support inline # pipelock:ignore
Dockerfile.preview