google-sheets-mcp

name: Security Check on: push: branches: [ main, develop ] pull_request: branches: [ main ] jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v4 with: python-version: '3.10' - name: Install toml run: | curl -LsSf https://astral.sh/uv/install.sh | sh echo "$HOME/.cargo/bin" >> $GITHUB_PATH uv venv source .venv/bin/activate - name: Check for hardcoded credentials run: | echo "🔍 Checking for hardcoded credentials..." # Check for actual API keys (not just the word in documentation) if grep -r "AIza[A-Za-z0-9_-]\{35\}" . --exclude-dir=.git --exclude-dir=.venv --exclude-dir=__pycache__ --exclude=*.md --exclude=*.yml --exclude=*.yaml --exclude=*.sh; then echo "❌ Found potential API keys" exit 1 fi # Check for private keys (not just the word in documentation) if grep -r "-----BEGIN PRIVATE KEY-----" . --exclude-dir=.git --exclude-dir=.venv --exclude-dir=__pycache__ --exclude=*.md --exclude=*.yml --exclude=*.yaml --exclude=*.sh; then echo "❌ Found hardcoded private keys" exit 1 fi # Check for secrets (not just the word in documentation) if grep -r "sk-[A-Za-z0-9_-]\{20,}" . --exclude-dir=.git --exclude-dir=.venv --exclude-dir=__pycache__ --exclude=*.md --exclude=*.yml --exclude=*.yaml --exclude=*.sh; then echo "❌ Found potential secrets" exit 1 fi echo "✅ No hardcoded credentials found" - name: Check for sensitive files run: | echo "🔍 Checking for sensitive files..." # Check if any actual credential files are being committed (exclude examples) MCP_FILES=$(find . -name "*.mcp.json" -not -path "./.git/*" -not -name "sample-mcp-config.json" -not -name "*example*" -not -name "*template*" 2>/dev/null) if [ -n "$MCP_FILES" ]; then echo "❌ Found MCP config files that might contain credentials:" echo "$MCP_FILES" exit 1 fi # Check for actual credential files with real data CRED_FILES=$(find . -name "credentials*.json" -not -path "./.git/*" -not -name "*example*" -not -name "*template*" 2>/dev/null) if [ -n "$CRED_FILES" ]; then echo "❌ Found credential files that might contain real data:" echo "$CRED_FILES" exit 1 fi # Check for environment files with real data ENV_FILES=$(find . -name ".env*" -not -path "./.git/*" -not -name "*example*" -not -name "*template*" 2>/dev/null) if [ -n "$ENV_FILES" ]; then echo "❌ Found environment files that might contain real data:" echo "$ENV_FILES" exit 1 fi echo "✅ No sensitive files found" - name: Verify package security run: | echo "🔍 Verifying package security..." # Build package curl -LsSf https://astral.sh/uv/install.sh | sh echo "$HOME/.cargo/bin" >> $GITHUB_PATH uv build # Check package contents for credentials python -c " import tarfile import os import re # Read version from pyproject.toml using regex with open('pyproject.toml', 'r') as f: content = f.read() match = re.search(r'version = \"([^\"]+)\"', content) version = match.group(1) if match else '0.1.3' package_file = f'dist/google_sheets_mcp-{version}.tar.gz' if not os.path.exists(package_file): print(f'❌ Package file not found: {package_file}') exit(1) t = tarfile.open(package_file) files = [f.name for f in t.getmembers() if f.name.endswith('.py')] # Check if any Python files contain credential patterns for file_info in t.getmembers(): if file_info.name.endswith('.py'): try: content = t.extractfile(file_info).read().decode('utf-8') # Check for actual API keys, not just the word if 'AIza' in content and len(content.split('AIza')[1].split()[0]) > 10: print(f'❌ Found potential API key in {file_info.name}') exit(1) if 'sk-' in content and len(content.split('sk-')[1].split()[0]) > 20: print(f'❌ Found potential secret in {file_info.name}') exit(1) if '-----BEGIN PRIVATE KEY-----' in content: print(f'❌ Found private key in {file_info.name}') exit(1) except: pass print('✅ Package security verified') "