Files
hermes-workspace/.github/workflows/security.yml
Eric fb17b5f86f feat: v1.0.0 — profiles, knowledge browser, MCP settings, skills hub upgrade, eslint, security contact update
New features:
- Multi-profile management (create, switch, rename, delete)
- Knowledge browser with document viewer
- MCP server settings screen
- Skills hub with marketplace search fallback
- Context usage tracking and display

Improvements:
- eslint added and auto-fixed (69 issues resolved)
- Settings dialog restructured (Agent, Smart Routing, Voice, Display sections)
- Navigation updated with Profiles tab across desktop/mobile
- Security contact updated to GitHub advisories + X DM
- .gitignore hardened (.runtime/, internal dev docs)
- Version bumped to 1.0.0

Build: clean | TypeScript: 0 errors | Tests: 4/4 passing
2026-04-10 01:49:13 -04:00

71 lines
2.0 KiB
YAML

# Phase 2.5-001: Secrets scanning CI
# Scans for leaked secrets on PR and push to main
name: Security Scan
on:
push:
branches: [main, production]
pull_request:
branches: [main, production]
permissions:
contents: read
security-events: write
jobs:
secrets-scan:
name: Scan for Secrets
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# No additional secrets required - uses built-in GITHUB_TOKEN
- name: Grep for common patterns (fallback)
if: always()
run: |
echo "🔍 Scanning for common secret patterns..."
# Patterns that indicate secrets
PATTERNS=(
"sk-[a-zA-Z0-9]{20,}"
"sk-ant-"
"ghp_[a-zA-Z0-9]{36}"
"github_pat_"
"gho_[a-zA-Z0-9]{36}"
"PRIVATE KEY"
"-----BEGIN RSA"
"-----BEGIN OPENSSH"
)
FOUND=0
for pattern in "${PATTERNS[@]}"; do
if grep -rE "$pattern" --include="*.ts" --include="*.tsx" --include="*.js" --include="*.json" --include="*.env*" . 2>/dev/null \
| grep -v node_modules \
| grep -v ".lock" \
| grep -v dist \
| grep -v "test-redaction" \
| grep -v "diagnostics.ts" \
| grep -v "placeholder" \
| grep -v "# pragma: allowlist secret" \
| grep -v "example\|sample\|fake\|dummy\|test\|mock" ; then
echo "⚠️ Potential secret found matching: $pattern"
FOUND=1
fi
done
if [ $FOUND -eq 1 ]; then
echo "❌ Potential secrets detected! Please review and remove."
exit 1
fi
echo "✅ No obvious secret patterns found"