Conversation
niklashaug
requested review from
Copilot and
jhnns
and removed request for
jhnns
| - name: 📥 Checkout repository | ||
| uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # main | ||
|
|
||
| - name: 🟢 Setup Node.js | ||
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # main | ||
| with: | ||
| node-version-file: ".tool-versions" | ||
| cache: "npm" | ||
|
|
||
| - name: 🗄 Cache node_modules | ||
| id: cache-node_modules | ||
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # main | ||
| with: | ||
| path: "**/node_modules" | ||
| key: node_modules-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} | ||
|
|
||
| - name: 🗄 Cache .eslintcache | ||
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # main | ||
| with: | ||
| path: .eslintcache | ||
| key: eslintcache-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} | ||
|
|
||
| - name: 🔍 Install dependencies | ||
| if: steps.cache-node_modules.outputs.cache-hit != 'true' | ||
| run: | | ||
| npm ci --ignore-scripts --prefer-offline --no-audit |
There was a problem hiding this comment.
I duplicated this from the existing test workflow. Not sure if we should integrate the Secretlint workflow into the existing workflow?
There was a problem hiding this comment.
Pull request overview
This PR adds Secretlint-based secret scanning to the template to catch leaked credentials both before commits (via lint-staged) and in CI (via a dedicated GitHub Actions workflow), addressing #69’s request for an npm-installable alternative to tools like gitleaks.
Changes:
- Add
secretlintand the recommended preset todevDependencies. - Run Secretlint in the pre-commit pipeline via
lint-staged. - Add
.secretlintrc.jsonand a new GitHub Actions workflow to run Secretlint in CI.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Adds Secretlint and its recommended rules preset as dev dependencies. |
| package-lock.json | Locks Secretlint and transitive dependencies for reproducible installs. |
| lint-staged.config.js | Runs Secretlint on staged files as part of pre-commit checks. |
| .secretlintrc.json | Introduces the Secretlint configuration using the recommended preset. |
| .github/workflows/secretlint.yml | Adds a CI workflow to run Secretlint on pushes/PRs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: 🗄 Cache .eslintcache | ||
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # main | ||
| with: | ||
| path: .eslintcache | ||
| key: eslintcache-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} | ||
|
|
There was a problem hiding this comment.
This workflow caches .eslintcache, but it never runs ESLint. This adds unnecessary cache restore/save overhead and can be removed (or replaced with a Secretlint-specific cache if needed).
| - name: 🗄 Cache .eslintcache | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # main | |
| with: | |
| path: .eslintcache | |
| key: eslintcache-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} |
| npm ci --ignore-scripts --prefer-offline --no-audit | ||
|
|
||
| - name: Lint with Secretlint | ||
| run: npx secretlint --format github "**/*" |
There was a problem hiding this comment.
Using npx secretlint can fall back to downloading/executing a package if the local binary isn't present, which is undesirable for a security check. Prefer npx --no-install secretlint ... or npm exec -- secretlint ... to guarantee the lockfile-pinned local dependency is used.
| run: npx secretlint --format github "**/*" | |
| run: npm exec -- secretlint --format github "**/*" |
|
I still need to test locally if I get an error when trying to commit a secret. I just did that but got no error. Not sure whether the pre-commit hooks actually run. All I need for Husky is to Edit: works now, my commit gets rejected when I try to add credentials. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This reverts commit cd02058.
| path: .eslintcache | ||
| key: eslintcache-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} | ||
|
|
||
| - name: 🔍 Install dependencies |
There was a problem hiding this comment.
Maybe we don't even need to install dependencies. We could instead just install secretlint via npx, right? I would suppose that we wouldn't need to install all other dependencies to perform the secret linting check.
closes #69
This introduces
secretlintinto the template, running both locally in the pre-commit hook as well as in GitHub Actions.