RAGFlow Claude MCP Server

name: TruffleHog Secrets Scan on: push: branches: [ main, master, develop ] pull_request: branches: [ main, master, develop ] workflow_dispatch: permissions: contents: read id-token: write issues: write pull-requests: write jobs: trufflehog: runs-on: ubuntu-latest name: TruffleHog Secrets Scan steps: - name: Checkout code uses: actions/checkout@v4 with: fetch-depth: 0 - name: TruffleHog OSS (Push Events) if: github.event_name == 'push' uses: trufflesecurity/trufflehog@main with: path: ./ base: ${{ github.event.before }} head: ${{ github.event.after }} extra_args: --debug --only-verified - name: TruffleHog OSS (PR Events) if: github.event_name == 'pull_request' uses: trufflesecurity/trufflehog@main with: path: ./ base: ${{ github.event.pull_request.base.sha }} head: ${{ github.event.pull_request.head.sha }} extra_args: --debug --only-verified - name: TruffleHog Full Scan (Manual Trigger) if: github.event_name == 'workflow_dispatch' uses: trufflesecurity/trufflehog@main with: path: ./ base: '' head: HEAD extra_args: --debug --only-verified - name: TruffleHog Detailed Scan uses: trufflesecurity/trufflehog@main with: path: ./ base: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event_name == 'push' && github.event.before || '' }} head: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.event_name == 'push' && github.event.after || 'HEAD' }} extra_args: | --debug --only-verified --json continue-on-error: true id: trufflehog_detailed - name: Process TruffleHog Results if: always() run: | echo "Scan completed. Check the logs above for any detected secrets." echo "If secrets are found, the workflow will fail to prevent the push/merge." - name: Comment PR on failure if: failure() && github.event_name == 'pull_request' uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, body: '⚠️ **Security Alert**: Potential secrets detected in this PR. Please review the TruffleHog scan results and remove any exposed credentials before merging.' })