name: Security Check
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install pyyaml
- name: Run security check
run: |
python helpers/pre_publish_check.py
- name: Check for sensitive files
run: |
# Fail if any of these files exist (they should be in .gitignore)
if [ -f ".env" ]; then
echo "ERROR: .env file found in repository!"
exit 1
fi
if [ -f "ansible_hosts.yml" ]; then
echo "ERROR: ansible_hosts.yml file found in repository!"
exit 1
fi
if [ -f "PROJECT_INSTRUCTIONS.md" ]; then
echo "ERROR: PROJECT_INSTRUCTIONS.md file found in repository!"
exit 1
fi
echo "✓ No sensitive files found"
- name: Summary
if: success()
run: |
echo "✅ Security checks passed!"
echo "No sensitive data detected in commit."