search

guibranco / PIX-BACEN-SDK-dotnet

๐Ÿ‡ง๐Ÿ‡ท :bank: :gear: PIX/SPI contracts from @bacen/pix-api/
https://guibranco.github.io/PIX-BACEN-SDK-dotnet/
MIT License
20 stars 7 forks source link

Add Infisical Secrets Check Workflow #119

Closed guibranco closed 2 weeks ago

guibranco commented 2 weeks ago

Description

Changes walkthrough ๐Ÿ“

Relevant files
Enhancement
infisical-secrets-check.yml
Add Infisical Secrets Check Workflow                                         
.github/workflows/infisical-secrets-check.yml
  • Added a GitHub Actions workflow for Infisical secrets checking.
  • Configured steps for scanning secrets and generating reports.
  • Implemented artifact uploads for logs and reports.
  • Included PR comment updates based on scan results.
    		•  +112/-0 
    penify-dev[bot] commented 2 weeks ago

    PR Review ๐Ÿ”

    โฑ๏ธ Estimated effort to review [1-5] 4, because the workflow is complex with multiple steps and conditions, requiring careful review to ensure all scenarios are handled correctly.
    ๐Ÿงช Relevant tests No
    โšก Possible issues Potential Bug: The workflow assumes that the Infisical CLI installation will always succeed. If it fails, the subsequent steps may not execute as expected.
    Error Handling: The workflow does not appear to handle cases where the scan might fail without producing a CSV file, which could lead to misleading PR comments.
    ๐Ÿ”’ Security concerns No
    penify-dev[bot] commented 2 weeks ago

    PR Code Suggestions โœจ

    CategorySuggestion                                                                                                                                    Score
    Possible issue
    Add error handling for the installation command to manage potential failures ___ **It is advisable to check the exit status of the apt-get install command to handle any
    potential installation failures gracefully.** [.github/workflows/infisical-secrets-check.yml [32]](https://github.com/guibranco/PIX-BACEN-SDK-dotnet/pull/119/files#diff-ff2c948e92b0fe6b093877c73d2382b7aece339fd6c0e27c4c122299b4b60000R32-R32) ```diff -- sudo apt-get install -y infisical +- sudo apt-get install -y infisical || { echo "Installation failed"; exit 1; } ```
    Suggestion importance[1-10]: 9 Why: Adding error handling to the installation command is important for robustness, as it ensures that the workflow fails gracefully if the installation does not succeed.
    		9
    Best practice
    Use a specific version tag for the checkout action to ensure stability ___ **Consider using a specific version tag for the actions/checkout action to ensure
    consistency and avoid unexpected changes in behavior due to updates.** [.github/workflows/infisical-secrets-check.yml [21]](https://github.com/guibranco/PIX-BACEN-SDK-dotnet/pull/119/files#diff-ff2c948e92b0fe6b093877c73d2382b7aece339fd6c0e27c4c122299b4b60000R21-R21) ```diff -- uses: actions/checkout@v4 +- uses: actions/checkout@v2 ```
    Suggestion importance[1-10]: 8 Why: Using a specific version tag for actions helps maintain stability and predictability in CI/CD workflows, which is crucial for avoiding unexpected behavior.
    		8
    Enhancement
    Refine the condition for executing steps to ensure they only run under specific circumstances ___ **Consider using a more specific condition for the if statements to avoid unnecessary
    execution of steps when the previous steps succeed.** [.github/workflows/infisical-secrets-check.yml [58]](https://github.com/guibranco/PIX-BACEN-SDK-dotnet/pull/119/files#diff-ff2c948e92b0fe6b093877c73d2382b7aece339fd6c0e27c4c122299b4b60000R58-R58) ```diff -- if: failure() +- if: ${{ failure() && github.event_name == 'pull_request' }} ```
    Suggestion importance[1-10]: 7 Why: Refining the condition for executing steps can improve efficiency, but the current use of `failure()` is already a common practice in CI workflows.
    		7
    Maintainability
    Standardize the indentation style for better readability ___ **To improve readability, consider using a consistent indentation style for the with
    parameters in the upload artifact steps.** [.github/workflows/infisical-secrets-check.yml [53-67]](https://github.com/guibranco/PIX-BACEN-SDK-dotnet/pull/119/files#diff-ff2c948e92b0fe6b093877c73d2382b7aece339fd6c0e27c4c122299b4b60000R53-R67) ```diff +- with: +- name: report-log +- path: secrets-result.log - ```
    Suggestion importance[1-10]: 5 Why: While consistent indentation improves readability, this is a minor stylistic change that does not significantly impact functionality or performance.
    		5
    github-actions[bot] commented 2 weeks ago

    Infisical secrets check: :white_check_mark: No secrets leaked!

    Scan results:

    11:03AM INF scanning for exposed secrets...
11:03AM INF 145 commits scanned.
11:03AM INF scan completed in 99ms
11:03AM INF no leaks found
    codacy-production[bot] commented 2 weeks ago

    Coverage summary from Codacy

    See diff coverage on Codacy

    Coverage variation Diff coverage
    :white_check_mark: +0.00% (target: -1.00%) :white_check_mark: โˆ…
    Coverage variation details | | Coverable lines | Covered lines | Coverage | | ------------- | ------------- | ------------- | ------------- | | Common ancestor commit (569b58e0f4c64f7430a2da8c42cbe464880148a5) | 75 | 1 | 1.33% | | | Head commit (92485ef1268b27cb521dbb4012cb89505938af07) | 75 (+0) | 1 (+0) | 1.33% (**+0.00%**) | **Coverage variation** is the difference between the coverage for the head and common ancestor commits of the pull request branch: ` - `
    Diff coverage details | | Coverable lines | Covered lines | Diff coverage | | ------------- | ------------- | ------------- | ------------- | | Pull request (#119) | 0 | 0 | **โˆ… (not applicable)** | **Diff coverage** is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: `/ * 100%`

    See your quality gate settings    Change summary preferences

    Codacy stopped sending the deprecated coverage status on June 5th, 2024. Learn more

    AppVeyorBot commented 2 weeks ago

    :white_check_mark: Build PIX-BACEN-SDK-dotnet 1.1.343 completed (commit https://github.com/guibranco/PIX-BACEN-SDK-dotnet/commit/f6cb076c7e by @gstraccini[bot])

    sonarcloud[bot] commented 2 weeks ago

    Quality Gate Passed Quality Gate passed

    Issues
    0 New issues
    0 Accepted issues

    Measures
    0 Security Hotspots
    0.0% Coverage on New Code
    0.0% Duplication on New Code

    See analysis details on SonarCloud

    codecov[bot] commented 2 weeks ago

    Codecov Report

    All modified and coverable lines are covered by tests :white_check_mark:

    Project coverage is 1.33%. Comparing base (569b58e) to head (92485ef). Report is 1 commits behind head on main.

    Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #119 +/- ## ===================================== Coverage 1.33% 1.33% ===================================== Files 17 17 Lines 75 75 ===================================== Hits 1 1 Misses 74 74 ```

    :umbrella: View full report in Codecov by Sentry.
    :loudspeaker: Have feedback on the report? Share it here.