Skip to content

feat: add secretlint #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
niklashaug wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat: add secretlint #72

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
af23e36
init secretlint with default settings
niklashaug Apr 2, 2026
918c0b1
add secretlint to lint-staged config
niklashaug Apr 2, 2026
e150365
add secretlint workflow
niklashaug Apr 2, 2026
b136132
Apply suggestion from @Copilot
niklashaug Apr 14, 2026
cd02058
test: add fake GitHub token to trigger secretlint workflow
niklashaug Apr 14, 2026
66d893e
Merge remote-tracking branch 'origin/add-secretlint' into add-secretlint
niklashaug Apr 14, 2026
4d3cefb
Revert "test: add fake GitHub token to trigger secretlint workflow"
niklashaug Apr 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions .github/workflows/secretlint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Secretlint
on:
push:
branches:
- main
pull_request:
permissions:
contents: read
jobs:
test:
name: "Secretlint"
runs-on: ubuntu-latest
steps:
- name: 📥 Checkout repository
uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # main

- name: 🟢 Setup Node.js
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # main
with:
node-version-file: ".tool-versions"
cache: "npm"

- name: 🗄 Cache node_modules
id: cache-node_modules
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # main
with:
path: "**/node_modules"
key: node_modules-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}

- name: 🗄 Cache .eslintcache
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # main
with:
path: .eslintcache
key: eslintcache-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}

Comment on lines +30 to +35
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow caches .eslintcache, but it never runs ESLint. This adds unnecessary cache restore/save overhead and can be removed (or replaced with a Secretlint-specific cache if needed).

Suggested change
- name: 🗄 Cache .eslintcache
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # main
with:
path: .eslintcache
key: eslintcache-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}

Copilot uses AI. Check for mistakes.
- name: 🔍 Install dependencies
Copy link
Copy Markdown
Member Author

@niklashaug niklashaug Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we don't even need to install dependencies. We could instead just install secretlint via npx, right? I would suppose that we wouldn't need to install all other dependencies to perform the secret linting check.

if: steps.cache-node_modules.outputs.cache-hit != 'true'
run: |
npm ci --ignore-scripts --prefer-offline --no-audit
Comment on lines +14 to +39
Copy link
Copy Markdown
Member Author

@niklashaug niklashaug Apr 2, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I duplicated this from the existing test workflow. Not sure if we should integrate the Secretlint workflow into the existing workflow?


- name: Lint with Secretlint
run: npx secretlint --format github "**/*"
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using npx secretlint can fall back to downloading/executing a package if the local binary isn't present, which is undesirable for a security check. Prefer npx --no-install secretlint ... or npm exec -- secretlint ... to guarantee the lockfile-pinned local dependency is used.

Suggested change
run: npx secretlint --format github "**/*"
run: npm exec -- secretlint --format github "**/*"

Copilot uses AI. Check for mistakes.
7 changes: 7 additions & 0 deletions .secretlintrc.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"rules": [
{
"id": "@secretlint/secretlint-rule-preset-recommend"
}
]
}
1 change: 1 addition & 0 deletions lint-staged.config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
export default {
"*": ["secretlint --no-glob"],
"*.{js,jsx,ts,tsx,html,css,json,json5,md}": ["prettier --write"],
"!(.github/workflows)/*.{yml,yaml}": ["prettier --write"],
".github/workflows/*.{yml,yaml}": [
Expand Down
Loading