Skip to content

Commit

Permalink
Add git-secrets check to build
Browse files Browse the repository at this point in the history
git-secrets is a local tool that every developer has to set up on
their own working copy. Add it to the guide so new contributors
don't forget.

Initializes a new git repo if the current directory is not a git repo.

Fixes aws#271.
  • Loading branch information
rix0rrr authored Jul 31, 2018
1 parent bb95676 commit 89d2d0f
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 0 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ dist
pack
.BUILD_COMPLETED
.local-npm
.tools
coverage
.nyc_output
.LAST_BUILD
3 changes: 3 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,9 @@ docker run --net=host -it -v $PWD:$PWD -w $PWD ${IMAGE}
This will get you into an interactive docker shell. You can then run
`./install.sh` and `./build.sh` as described below.

Also install the [git-secrets](https://github.com/awslabs/git-secrets) tool
and activate it on your working copy of the `aws-cdk` repository.

### Bootstrapping

1. Clone this repository (or run `git clean -fdx` to clean up all build artifacts).
Expand Down
2 changes: 2 additions & 0 deletions build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ if [ ! -d node_modules ]; then
/bin/bash ./install.sh
fi

/bin/bash ./git-secrets-scan.sh

BUILD_INDICATOR=".BUILD_COMPLETED"
rm -rf $BUILD_INDICATOR

Expand Down
30 changes: 30 additions & 0 deletions git-secrets-scan.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
#!/bin/bash
set -euo pipefail

mkdir -p .tools
[[ ! -d .tools/git-secrets ]] && {
echo "============================================================================================="
echo "Downloading git-secrets..."
(cd .tools && git clone --depth 1 https://github.com/awslabs/git-secrets.git)
}

# As the name implies, git-secrets heavily depends on git:
#
# a) the config is stored and fetched using 'git config'.
# b) the search is performed using 'git grep' (other search methods don't work
# properly, see https://github.com/awslabs/git-secrets/issues/66)
#
# When we run in a CodeBuild build, we don't have a git repo, unfortunately. So
# when that's the case, 'git init' one on the spot, add all files to it (which
# because of the .gitignore will exclude dependencies and generated files) and
# then call 'git-secrets' as usual.
git rev-parse --git-dir > /dev/null 2>&1 || {
git init --quiet
git add -A .

# AWS config needs to be added to this fresh repository's config
.tools/git-secrets/git-secrets --register-aws
}

.tools/git-secrets/git-secrets --scan
echo "git-secrets scan ok"

0 comments on commit 89d2d0f

Please sign in to comment.