fix(dashboard): Improve conversation telemetry #1109
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret Scan | |
| on: [pull_request, merge_group] | |
| jobs: | |
| secret-scan: | |
| name: Secret Scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: "read" | |
| outputs: | |
| latest_release: ${{ steps.trufflehog_release.outputs.latest_release }} | |
| latest_tag_name: ${{ steps.trufflehog_release.outputs.latest_tag_name }} | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install Cosign | |
| # v4 of the action install v3 of the CLI. v4 of the CLI will deprecate some features so be aware. | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - name: Pin Trufflehog to a known good release | |
| id: trufflehog_release | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| LATEST_TAG_NAME=$(gh api repos/trufflesecurity/trufflehog/releases --jq '.[1].tag_name') | |
| if [[ -z "$LATEST_TAG_NAME" || "$LATEST_TAG_NAME" == "null" ]]; then | |
| echo "::error::Failed to fetch TruffleHog release info" | |
| exit 1 | |
| fi | |
| echo "Using TruffleHog version: $LATEST_TAG_NAME" | |
| echo "latest_tag_name=$LATEST_TAG_NAME" >> "$GITHUB_OUTPUT" | |
| echo "latest_release=${LATEST_TAG_NAME#v}" >> "$GITHUB_OUTPUT" | |
| - name: Download and verify TruffleHog release | |
| run: | | |
| curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt | |
| curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem | |
| curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig | |
| curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz | |
| cosign verify-blob trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt \ | |
| --certificate trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem \ | |
| --signature trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig \ | |
| --certificate-identity-regexp 'https://github\.com/trufflesecurity/trufflehog/\.github/workflows/.+' \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | |
| sha256sum --ignore-missing -c trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt | |
| - name: Extract TruffleHog | |
| run: | | |
| tar xzf trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz -C /usr/local/bin | |
| chmod +x /usr/local/bin/trufflehog | |
| - name: Run TruffleHog scan | |
| continue-on-error: true | |
| id: scan | |
| run: | | |
| if [ -e .secret_scan_ignore ]; then | |
| trufflehog git file://. --only-verified --github-actions --fail --exclude-paths=.secret_scan_ignore --exclude-detectors="datadogtoken" | |
| else | |
| trufflehog git file://. --only-verified --github-actions --fail --exclude-detectors="datadogtoken" | |
| fi | |
| - name: Send Alert to SIEM | |
| id: alert | |
| env: | |
| SIEM_WEBHOOK_URL: ${{ vars.SECRET_SCAN_SIEM_WEBHOOK_URL }} | |
| SCAN_OUTCOME: ${{ steps.scan.outcome }} | |
| REPO: ${{ github.repository }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| PR_CREATED_AT: ${{ github.event.pull_request.created_at }} | |
| PR_ACTOR: ${{ github.event.pull_request.user.login }} | |
| EVENT_ACTOR: ${{ github.actor }} | |
| run: | | |
| if [[ -z "$SIEM_WEBHOOK_URL" ]]; then | |
| exit 0 | |
| fi | |
| # On merge_group events there is no pull_request context, so PR-derived | |
| # fields are empty. Use current timestamp as next best effort. | |
| created_at="${PR_CREATED_AT:-$(date -u +%Y-%m-%dT%H:%M:%SZ)}" | |
| actor="${PR_ACTOR:-$EVENT_ACTOR}" | |
| if [[ -n "$PR_NUMBER" ]]; then | |
| pull_request="https://github.com/${REPO}/pull/${PR_NUMBER}" | |
| else | |
| pull_request="" | |
| fi | |
| jq -n \ | |
| --arg event "github_secret_scanning" \ | |
| --arg status "$SCAN_OUTCOME" \ | |
| --arg createdAt "$created_at" \ | |
| --arg repo "$REPO" \ | |
| --arg pull_request "$pull_request" \ | |
| --arg actor "$actor" \ | |
| '{event: $event, status: $status, createdAt: $createdAt, repo: $repo, pull_request: $pull_request, actor: $actor}' \ | |
| | curl --fail --silent --show-error \ | |
| -H "Content-Type: application/json" \ | |
| --data @- \ | |
| "$SIEM_WEBHOOK_URL" \ | |
| || echo "::warning::SIEM alert failed (non-blocking)" | |
| - name: Fail workflow if secret detected | |
| if: ${{ !cancelled() && steps.scan.outcome != 'success' }} | |
| run: exit 1 |