Conversation
niklashaug
requested review from
Copilot and
jhnns
and removed request for
jhnns
| - name: 📥 Checkout repository | ||
| uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # main | ||
|
|
||
| - name: 🟢 Setup Node.js | ||
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # main | ||
| with: | ||
| node-version-file: ".tool-versions" | ||
| cache: "npm" | ||
|
|
||
| - name: 🗄 Cache node_modules | ||
| id: cache-node_modules | ||
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # main | ||
| with: | ||
| path: "**/node_modules" | ||
| key: node_modules-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} | ||
|
|
||
| - name: 🗄 Cache .eslintcache | ||
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # main | ||
| with: | ||
| path: .eslintcache | ||
| key: eslintcache-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} | ||
|
|
||
| - name: 🔍 Install dependencies | ||
| if: steps.cache-node_modules.outputs.cache-hit != 'true' | ||
| run: | | ||
| npm ci --ignore-scripts --prefer-offline --no-audit |
There was a problem hiding this comment.
I duplicated this from the existing test workflow. Not sure if we should integrate it there maybe?
There was a problem hiding this comment.
Pull request overview
This PR adds Secretlint-based secret scanning to the template to catch leaked credentials both before commits (via lint-staged) and in CI (via a dedicated GitHub Actions workflow), addressing #69’s request for an npm-installable alternative to tools like gitleaks.
Changes:
- Add
secretlintand the recommended preset todevDependencies. - Run Secretlint in the pre-commit pipeline via
lint-staged. - Add
.secretlintrc.jsonand a new GitHub Actions workflow to run Secretlint in CI.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Adds Secretlint and its recommended rules preset as dev dependencies. |
| package-lock.json | Locks Secretlint and transitive dependencies for reproducible installs. |
| lint-staged.config.js | Runs Secretlint on staged files as part of pre-commit checks. |
| .secretlintrc.json | Introduces the Secretlint configuration using the recommended preset. |
| .github/workflows/secretlint.yml | Adds a CI workflow to run Secretlint on pushes/PRs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -0,0 +1,38 @@ | |||
| name: Secretlint | |||
| on: [push, pull_request] | |||
There was a problem hiding this comment.
on: [push, pull_request] will run this workflow on every branch push and also on PRs, which typically leads to duplicate runs for PR branches. Consider aligning triggers with the existing test workflow (e.g., pull_request + push only on protected branches) to avoid unnecessary CI usage.
| on: [push, pull_request] | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: |
| - name: 🗄 Cache .eslintcache | ||
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # main | ||
| with: | ||
| path: .eslintcache | ||
| key: eslintcache-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} | ||
|
|
There was a problem hiding this comment.
This workflow caches .eslintcache, but it never runs ESLint. This adds unnecessary cache restore/save overhead and can be removed (or replaced with a Secretlint-specific cache if needed).
| - name: 🗄 Cache .eslintcache | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # main | |
| with: | |
| path: .eslintcache | |
| key: eslintcache-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} |
| npm ci --ignore-scripts --prefer-offline --no-audit | ||
|
|
||
| - name: Lint with Secretlint | ||
| run: npx secretlint --format github "**/*" |
There was a problem hiding this comment.
Using npx secretlint can fall back to downloading/executing a package if the local binary isn't present, which is undesirable for a security check. Prefer npx --no-install secretlint ... or npm exec -- secretlint ... to guarantee the lockfile-pinned local dependency is used.
| run: npx secretlint --format github "**/*" | |
| run: npm exec -- secretlint --format github "**/*" |
|
I still need to test locally if I get an error when trying to commit a secret. I just did that but got no error. Not sure whether the pre-commit hooks actually run. All I need for Husky is to |
closes #69
This introduces
secretlintinto the template, running both locally in the pre-commit hook as well as in GitHub Actions.