Add secret scanning pipeline (#51188)

Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> Co-authored-by: Peter Bengtsson <peterbe@github.com>
2025-12-30 12:02:01 -05:00 · 2024-06-19 10:19:30 -07:00
parent 99d9b6ae8f
commit 931b182ccb
9 changed files with 157 additions and 52 deletions
--- a/.github/workflows/secret-scanning-pattern-table-updates.yml
+++ b/.github/workflows/secret-scanning-pattern-table-updates.yml
@@ -1,50 +0,0 @@
-name: Secret Scanning Pattern Table Updates
-
-# **What it does**: When a PR that updates `data/secret-scanning.yml` is opened in docs-internal, it adds the `ready-for-docs-review` label, as well as a comment explaining what this PR is for and that it needs to be reviewed quickly. It also provides reviewing instructions, and gives details of who can help.
-# **Why we have it**: To help Docs Content team members know what to do with this sort of PRs, or to direct them to who can help if they don't feel comfortable reviewing the PR themselves.
-# **Who does it impact**: docs-internal maintainers and docs content first responders.
-
-on:
-  pull_request:
-    types: [opened]
-    paths:
-      - data/secret-scanning.yml
-
-permissions:
-  contents: read
-  pull-requests: write
-  repository-projects: write
-
-jobs:
-  Process-secret-scanning-PR:
-    runs-on: ubuntu-latest
-    if: github.repository == 'github/docs-internal'
-    steps:
-      - name: Check out repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: Label pull requests updating the secret-scanning.yml file with ready-for-doc-review
-        run: gh pr edit $PR --add-label "ready-for-doc-review"
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR: ${{ github.event.pull_request.html_url }}
-      - name: Comment on the secret scanning partners PR
-        run: >
-          gh pr comment $PR --body "This PR updates data for secret scanning patterns
-          in the _/data/secret-scanning.yml_ file. The data in this file is used
-          to populate the tables in the '[Secret scanning
-          patterns](https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)' article at build time.
-
-          - The secret scanning team updates this file fairly regularly, and raises PRs in the `docs-internal` repository to update our docs accordingly. We've agreed to review these PRs **quickly** as the changes are already effective when these PRs reach us.
-
-          - Anyone in the Docs Content team can review and merge this PR. A few guidelines:
-              - You can only merge this PR if it's had a technical review (see who's approved it in the 'Reviewers' section in the top right corner).
-              - To test that the changes appear on Staging, look at the preview of the 'Secret scanning patterns' file. You may need to use the product picker to look at the table for different GitHub products, and test the versioning.
-              - If you don't feel comfortable reviewing this PR, please post a link to it in the #code-security-docs Slack channel so someone from the Dependencies & Secrets focus team can take a look.
-
-          - For more information about this automation, and the reasons why we have decided to implement it, see [About automations for Dependencies & Secrets](https://github.com/github/docs-content/blob/main/focus-areas/code-security/about-automations-for-dependencies-and-secrets.md#secret-scanning-prs-adding-new-supported-patterns) in the 'docs-content' repository.
-
-          - Thank you :fishsticks: :sparkling_heart:"
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR: ${{ github.event.pull_request.html_url }}
--- a/.github/workflows/sync-secret-scanning.yml
+++ b/.github/workflows/sync-secret-scanning.yml
@@ -0,0 +1,83 @@
+name: Sync Secret Scanning data
+
+# **What it does**: This updates the data used by the secret scanning patterns page.
+# **Why we have it**: To automate updates to the secret scanning pattern data in our public-facing documentation.
+# **Who does it impact**: Docs engineering, content writers.
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '20 16 * * *' # Run every day at 16:20 UTC / 8:22 PST
+
+permissions:
+  contents: write
+  pull-requests: write
+
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
+jobs:
+  update-secret-scanning-file:
+    if: github.repository == 'github/docs-internal'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - uses: ./.github/actions/node-npm-setup
+
+      - name: Sync secret scanning data
+        id: secret-scanning-sync
+        env:
+          # need to use a token from a user with access to
+          # github/token-scanning-service for this step
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+        run: |
+          npm run sync-secret-scanning
+
+      - name: Create and merge pull request
+        env:
+          # Needed for gh
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+        run: |
+          # If nothing to commit, exit now. It's fine.
+          changes=$(git diff --name-only | wc -l)
+          untracked=$(git status --untracked-files --short | wc -l)
+          if [[ $changes -eq 0 ]] && [[ $untracked -eq 0 ]]; then
+            echo "There are no changes to commit. Exiting..."
+            exit 0
+          fi
+
+          git config --global user.name "docs-bot"
+          git config --global user.email "77750099+docs-bot@users.noreply.github.com"
+
+          branchname=sync-secret-scanning-${{ steps.secret-scanning-sync.outputs.sha }}
+
+          remotesha=$(git ls-remote --heads origin $branchname)
+          if [ -n "$remotesha" ]; then
+            # output is not empty, it means the remote branch exists
+            echo "Branch $branchname already exists in 'github/docs-internal'. Exiting..."
+            exit 0
+          fi
+
+          git checkout -b $branchname
+          git add .
+          git commit -m "Add updated secret scanning data"
+          git push origin $branchname
+
+          echo "Creating pull request..."
+          gh pr create \
+            --title "Sync secret scanning data" \
+            --body '👋 humans. This PR updates the secret scanning data with the latest changes from github/token-scanning-service.\n\n/cc @github/docs-content-security-products
+
+            If CI does not pass or other problems arise, contact #docs-engineering on slack.' \
+            --repo github/docs-internal \
+            --label secret-scanning-pipeline,ready-for-docs-review
+
+      - uses: ./.github/actions/slack-alert
+        if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
+        with:
+          slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
+          slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}