yarn build in workflow. search whole repo in script

konfig-dev · Sep 28, 2023 · f65a7ac · f65a7ac
1 parent c127ed6
commit f65a7ac
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/.github/workflows/guard-api-key-leak.yaml b/.github/workflows/guard-api-key-leak.yaml
@@ -1,5 +1,5 @@
 name: Guard API Key Leak
-on: [push, pull_request]
+on: push
 
 jobs:
   detect-key-leak:
@@ -9,6 +9,10 @@ jobs:
     - name: Check out code
       uses: actions/checkout@v3
 
+    - name: yarn build
+      run: yarn build
+      working-directory: ./generator/konfig-dash
+
     - name: Detect API key leaks
       run: ./guard-api-key-leak.sh
-      working-directory: generator/konfig-dash/bash_scripts
+      working-directory: ./generator/konfig-dash/bash_scripts
diff --git a/generator/konfig-dash/bash-scripts/guard-api-key-leak.sh b/generator/konfig-dash/bash-scripts/guard-api-key-leak.sh
@@ -4,11 +4,15 @@
 keyFile="../api/src/lib/api-keys.ts"
 apiKeys=($(grep -oE '[A-Za-z0-9]{32}:' "$keyFile" | sed 's/://'))
 
-searchFolder="../packages"
+searchFolder="../../.." # entire repo
 foundKey=false
 
 for apiKey in "${apiKeys[@]}"; do
-  files=$(grep -rl "$apiKey" "$searchFolder")
+  files=$(grep -rl "$apiKey" "$searchFolder" \
+    --exclude=../../../generator/konfig-dash/.redwood/prebuild/api/src/lib/api-keys.js \
+    --exclude=../../../generator/konfig-dash/api/dist/lib/api-keys.js.map \
+    --exclude=../../../generator/konfig-dash/api/dist/lib/api-keys.js \
+    --exclude=../../../generator/konfig-dash/api/src/lib/api-keys.ts)
   if [ -n "$files" ]; then
     foundKey=true
     echo "ERROR: Security risk detected. API key leaked in the following file(s):"