From 671655411b1079d80c16d9041e26258d62a78f82 Mon Sep 17 00:00:00 2001 From: Nicolas Cantu Date: Fri, 15 May 2026 15:47:52 +0200 Subject: [PATCH] add shared no-tracked-dotenv CI guard Add the shared dotenv guard script and enforce it in CI to block tracked .env* and *.env files outside .secrets. --- .gitea/workflows/no-tracked-dotenv.yml | 16 ++++++++ scripts/check-no-tracked-dotenv-files.sh | 49 ++++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 .gitea/workflows/no-tracked-dotenv.yml create mode 100755 scripts/check-no-tracked-dotenv-files.sh diff --git a/.gitea/workflows/no-tracked-dotenv.yml b/.gitea/workflows/no-tracked-dotenv.yml new file mode 100644 index 0000000..c42cdee --- /dev/null +++ b/.gitea/workflows/no-tracked-dotenv.yml @@ -0,0 +1,16 @@ +name: no-tracked-dotenv + +on: + push: + pull_request: + workflow_dispatch: + +jobs: + verify-no-tracked-dotenv: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Ensure no tracked dotenv files + run: bash scripts/check-no-tracked-dotenv-files.sh diff --git a/scripts/check-no-tracked-dotenv-files.sh b/scripts/check-no-tracked-dotenv-files.sh new file mode 100755 index 0000000..768a06c --- /dev/null +++ b/scripts/check-no-tracked-dotenv-files.sh @@ -0,0 +1,49 @@ +#!/usr/bin/env bash +set -euo pipefail + +TARGET_REPO="${1:-$(pwd)}" +ALLOWED_PREFIX="${2:-.secrets/}" +TAG="${3:-[check-no-tracked-dotenv]}" +ALLOWLIST_FILE="${4:-}" + +if [[ ! -d "${TARGET_REPO}/.git" ]]; then + echo "${TAG} ERR not a git repository: ${TARGET_REPO}" >&2 + exit 1 +fi + +tracked_dotenv="$( + git -C "$TARGET_REPO" ls-files | awk -v allowed="$ALLOWED_PREFIX" ' + /(^|\/)(\.env($|\.|\/)|[^\/]+\.env($|\/))/ { + if ($0 !~ ("^" allowed)) print + } + ' +)" + +if [[ -n "$ALLOWLIST_FILE" && -f "$ALLOWLIST_FILE" ]]; then + filtered_dotenv="" + while IFS= read -r dotenv_path; do + [[ -z "$dotenv_path" ]] && continue + allowed_match=0 + while IFS= read -r allowed_path; do + allowed_trimmed="$(printf '%s' "$allowed_path" | awk '{$1=$1;print}')" + [[ -z "$allowed_trimmed" ]] && continue + [[ "$allowed_trimmed" == \#* ]] && continue + if [[ "$dotenv_path" == "$allowed_trimmed" ]]; then + allowed_match=1 + break + fi + done < "$ALLOWLIST_FILE" + if [[ "$allowed_match" -eq 0 ]]; then + filtered_dotenv+="${dotenv_path}"$'\n' + fi + done <<< "$tracked_dotenv" + tracked_dotenv="${filtered_dotenv%$'\n'}" +fi + +if [[ -n "$tracked_dotenv" ]]; then + echo "${TAG} ERR tracked .env files are forbidden outside ${ALLOWED_PREFIX}" >&2 + printf '%s\n' "$tracked_dotenv" >&2 + exit 1 +fi + +echo "${TAG} OK"