4nk/docv-ged-archive
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
docv-ged-archive/scripts/check-no-tracked-dotenv-files.sh
Nicolas Cantu 671655411b
Some checks are pending
no-tracked-dotenv / verify-no-tracked-dotenv (push) Waiting to run
Details
add shared no-tracked-dotenv CI guard 
Add the shared dotenv guard script and enforce it in CI to block tracked .env* and *.env files outside .secrets.
2026-05-15 15:47:52 +02:00

50 lines
1.3 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
TARGET_REPO="${1:-$(pwd)}"
ALLOWED_PREFIX="${2:-.secrets/}"
TAG="${3:-[check-no-tracked-dotenv]}"
ALLOWLIST_FILE="${4:-}"
if [[ ! -d "${TARGET_REPO}/.git" ]]; then
echo "${TAG} ERR not a git repository: ${TARGET_REPO}" >&2
exit 1
fi
tracked_dotenv="$(
git -C "$TARGET_REPO" ls-files | awk -v allowed="$ALLOWED_PREFIX" '
/(^|\/)(\.env($|\.|\/)|[^\/]+\.env($|\/))/ {
if ($0 !~ ("^" allowed)) print
}
'
)"
if [[ -n "$ALLOWLIST_FILE" && -f "$ALLOWLIST_FILE" ]]; then
filtered_dotenv=""
while IFS= read -r dotenv_path; do
[[ -z "$dotenv_path" ]] && continue
allowed_match=0
while IFS= read -r allowed_path; do
allowed_trimmed="$(printf '%s' "$allowed_path" | awk '{$1=$1;print}')"
[[ -z "$allowed_trimmed" ]] && continue
[[ "$allowed_trimmed" == \#* ]] && continue
if [[ "$dotenv_path" == "$allowed_trimmed" ]]; then
allowed_match=1
break
fi
done < "$ALLOWLIST_FILE"
if [[ "$allowed_match" -eq 0 ]]; then
filtered_dotenv+="${dotenv_path}"$'\n'
fi
done <<< "$tracked_dotenv"
tracked_dotenv="${filtered_dotenv%$'\n'}"
fi
if [[ -n "$tracked_dotenv" ]]; then
echo "${TAG} ERR tracked .env files are forbidden outside ${ALLOWED_PREFIX}" >&2
printf '%s\n' "$tracked_dotenv" >&2
exit 1
fi
echo "${TAG} OK"
Reference in New Issue View Git Blame Copy Permalink