iOS/iPad: lead PerformerDetailView with artist identity; tighten bio #317
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret scan | |
| # Runs gitleaks against every push and pull request, scanning both the | |
| # staged changes and (on the first run) the full git history. If gitleaks | |
| # finds anything matching its built-in credential patterns — AWS keys, | |
| # GitHub tokens, Stripe keys, private keys, JWTs, generic high-entropy | |
| # API-key-shaped strings, postgres DSNs with embedded passwords, etc. — | |
| # the job exits non-zero and the CI check fails. | |
| # | |
| # This is the non-bypassable server-side safety net. A local `--no-verify` | |
| # on commit can't skip this. | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| gitleaks: | |
| name: gitleaks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| # fetch-depth: 0 pulls full git history so gitleaks can scan | |
| # every reachable commit, not just HEAD. Without this, the | |
| # default shallow clone would hide secrets buried in earlier | |
| # commits. | |
| fetch-depth: 0 | |
| - name: Install gitleaks | |
| env: | |
| # Pinned to a specific release for reproducibility. Bump this | |
| # deliberately when you want the new rules that come with a | |
| # newer gitleaks; older versions miss many findings (8.18.4 | |
| # missed 10 of 11 findings that 8.30.1 catches on this repo). | |
| GITLEAKS_VERSION: 8.30.1 | |
| run: | | |
| set -euo pipefail | |
| curl -sSL \ | |
| "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \ | |
| | tar -xz -C /tmp | |
| sudo mv /tmp/gitleaks /usr/local/bin/gitleaks | |
| gitleaks version | |
| - name: Run gitleaks | |
| # Flags: | |
| # detect — scan all reachable commits (full history) | |
| # --source . — scan the checked-out working copy | |
| # --verbose — show each finding with file and line context | |
| # --redact — mask the actual secret value in output, so | |
| # gitleaks's own logs never leak the secret | |
| # --no-banner — suppress ASCII banner for cleaner log output | |
| # gitleaks exits 1 if any findings are detected, which fails | |
| # the job automatically — no extra error handling needed. | |
| run: gitleaks detect --source . --verbose --redact --no-banner |