Skip to content

iOS/iPad: lead PerformerDetailView with artist identity; tighten bio #317

iOS/iPad: lead PerformerDetailView with artist identity; tighten bio

iOS/iPad: lead PerformerDetailView with artist identity; tighten bio #317

Workflow file for this run

name: Secret scan
# Runs gitleaks against every push and pull request, scanning both the
# staged changes and (on the first run) the full git history. If gitleaks
# finds anything matching its built-in credential patterns — AWS keys,
# GitHub tokens, Stripe keys, private keys, JWTs, generic high-entropy
# API-key-shaped strings, postgres DSNs with embedded passwords, etc. —
# the job exits non-zero and the CI check fails.
#
# This is the non-bypassable server-side safety net. A local `--no-verify`
# on commit can't skip this.
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
gitleaks:
name: gitleaks
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# fetch-depth: 0 pulls full git history so gitleaks can scan
# every reachable commit, not just HEAD. Without this, the
# default shallow clone would hide secrets buried in earlier
# commits.
fetch-depth: 0
- name: Install gitleaks
env:
# Pinned to a specific release for reproducibility. Bump this
# deliberately when you want the new rules that come with a
# newer gitleaks; older versions miss many findings (8.18.4
# missed 10 of 11 findings that 8.30.1 catches on this repo).
GITLEAKS_VERSION: 8.30.1
run: |
set -euo pipefail
curl -sSL \
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
| tar -xz -C /tmp
sudo mv /tmp/gitleaks /usr/local/bin/gitleaks
gitleaks version
- name: Run gitleaks
# Flags:
# detect — scan all reachable commits (full history)
# --source . — scan the checked-out working copy
# --verbose — show each finding with file and line context
# --redact — mask the actual secret value in output, so
# gitleaks's own logs never leak the secret
# --no-banner — suppress ASCII banner for cleaner log output
# gitleaks exits 1 if any findings are detected, which fails
# the job automatically — no extra error handling needed.
run: gitleaks detect --source . --verbose --redact --no-banner