chore(deps): bump org.junit.jupiter:junit-jupiter from 6.1.1 to 6.1.2 #740
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Entropy Beauty + TruffleHog Scan | |
| on: [push, release, pull_request_target] | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| issues: write # must be at workflow level for push/merge events | |
| jobs: | |
| scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # pinned commit (update sha if you bump the action) | |
| with: | |
| ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }} | |
| fetch-depth: ${{ github.event_name == 'pull_request_target' && 1 || 2 }} | |
| allow-unsafe-pr-checkout: ${{ github.event_name == 'pull_request_target' }} | |
| - name: Fetch PR base commit (needed for accurate diff) | |
| if: github.event_name == 'pull_request_target' | |
| run: git fetch origin ${{ github.event.pull_request.base.sha }} --depth=1 | |
| - name: Cache pip manually | |
| uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-entropy-${{ hashFiles('.github/workflows/compute-entropy.py') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pip-entropy- | |
| - name: Setup Python | |
| uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 | |
| with: | |
| python-version: '3.12' | |
| - name: Install Python dependencies (only when needed) | |
| run: | | |
| python -m pip install --upgrade pip | |
| # No extra packages needed — compute-entropy.py uses only stdlib | |
| - name: Run TruffleHog | |
| uses: trufflesecurity/trufflehog@27b0417c16317ca9a472a9a8092acce143b49c55 # v3.95.9 | |
| with: | |
| path: . | |
| extra_args: --results=verified,unknown --filter-entropy=3.5 --json | |
| - name: Compute mid-4 beauty entropy | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| BASE_SHA: ${{ github.event.pull_request.base.sha || '' }} | |
| HEAD_SHA: ${{ github.event.pull_request.head.sha || github.sha }} | |
| run: python .github/workflows/compute-entropy.py | |
| - name: Post summary comment (PR only) | |
| if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' | |
| uses: actions/github-script@v9 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const fs = require('fs'); | |
| // Read TruffleHog output — it prints one JSON object per line (NDJSON) | |
| let findings = []; | |
| if (fs.existsSync('trufflehog.json')) { | |
| try { | |
| const lines = fs.readFileSync('trufflehog.json', 'utf8').trim().split('\n'); | |
| findings = lines.map(line => { | |
| try { return JSON.parse(line); } catch(e) { return null; } | |
| }).filter(Boolean); | |
| } catch(e) {} | |
| } else { | |
| console.log("No trufflehog.json found, using empty findings"); | |
| } | |
| const beauty = JSON.parse(fs.readFileSync('/tmp/beauty.json', 'utf8')); | |
| let body = `## 🐷 TruffleHog + Entropy Beauty Scan\n\n`; | |
| body += `**Average entropy of changed code:** ${beauty.average_entropy} bits/char\n`; | |
| body += `**Verdict:** ${beauty.verdict}\n\n`; | |
| if (beauty.files && beauty.files.length) { | |
| body += `**Changed files entropy:**\n\`\`\`\n${beauty.files.join('\n')}\n\`\`\`\n\n`; | |
| } | |
| if (findings.length > 0) { | |
| body += `⚠️ **TruffleHog found ${findings.length} potential issue(s)**\n`; | |
| } else { | |
| body += `✅ No secrets or suspicious high-entropy strings found.\n`; | |
| } | |
| body += `\n*Mid-4 beauty heuristic in action — powered by our entropy chats! 😊*`; | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| body: body | |
| }); | |
| # ── Create issue on push ONLY if suspicious (entropy outside 4.3–5.1) ── | |
| - name: Create issue on suspicious push | |
| if: github.event_name == 'push' || github.event_name == 'release' | |
| uses: actions/github-script@v9 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const fs = require('fs'); | |
| const beauty = JSON.parse(fs.readFileSync('/tmp/beauty.json', 'utf8')); | |
| // Only create issue if it's NOT beautiful mid-4 | |
| if (beauty.average_entropy >= 4.3 && beauty.average_entropy <= 5.1) { | |
| console.log("✅ Mid-4 beauty — no issue created"); | |
| return; | |
| } | |
| let findings = []; | |
| if (fs.existsSync('trufflehog.json')) { | |
| try { | |
| const lines = fs.readFileSync('trufflehog.json', 'utf8').trim().split('\n'); | |
| findings = lines.map(line => { | |
| try { return JSON.parse(line); } catch(e) { return null; } | |
| }).filter(Boolean); | |
| } catch(e) {} | |
| } | |
| let body = `**Average entropy:** ${beauty.average_entropy} bits/char\n\n`; | |
| body += `**Verdict:** ${beauty.verdict}\n\n`; | |
| if (beauty.files && beauty.files.length) { | |
| body += `**Changed files:**\n\`\`\`\n${beauty.files.join('\n')}\n\`\`\`\n\n`; | |
| } | |
| if (findings.length > 0) { | |
| body += `**TruffleHog found ${findings.length} potential issue(s)**\n`; | |
| } else { | |
| body += `✅ No secrets or suspicious high-entropy strings found.\n`; | |
| } | |
| body += `\n*Triggered by push to \`${context.sha}\` — mid-4 beauty heuristic*`; | |
| await github.rest.issues.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| title: `🚨 Suspicious entropy detected in recent push (${beauty.average_entropy})`, | |
| body: body, | |
| labels: ['entropy', 'security', 'review-needed'] | |
| }); | |
| console.log("⚠️ Created issue because entropy was outside mid-4 range"); |