feat(all): Replace trufflehog with detect-secrets (#983)

* Removed trufflehog Signed-off-by: Elena Khaustova <[email protected]> * Updated github actions per plugin Signed-off-by: Elena Khaustova <[email protected]> * Updated release notes Signed-off-by: Elena Khaustova <[email protected]> * Updated validate-pr check scopes Signed-off-by: Elena Khaustova <[email protected]> * Updated lint command Signed-off-by: Elena Khaustova <[email protected]> * Added key to trigger check Signed-off-by: Elena Khaustova <[email protected]> * Updated GH action to track per plugin Signed-off-by: Elena Khaustova <[email protected]> * Removed secret Signed-off-by: Elena Khaustova <[email protected]> * Updated GH for kedro-datasets Signed-off-by: Elena Khaustova <[email protected]> * Updated secrets baseline Signed-off-by: Elena Khaustova <[email protected]> --------- Signed-off-by: Elena Khaustova <[email protected]>
kedro-org · Jan 13, 2025 · bf0c407 · bf0c407
1 parent 630f4ea
commit bf0c407
Show file tree

Hide file tree

Showing 18 changed files with 585 additions and 17 deletions.
diff --git a/.github/workflows/detect-secrets.yml b/.github/workflows/detect-secrets.yml
@@ -0,0 +1,46 @@
+name: Detect secrets on plugins
+
+on:
+  workflow_call:
+    inputs:
+      plugin:
+        type: string
+      os:
+        type: string
+      python-version:
+        type: string
+
+jobs:
+  detect-secrets:
+    defaults:
+      run:
+        shell: bash
+    runs-on: ${{ inputs.os }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ inputs.python-version }}
+      - name: Cache python packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ${{inputs.plugin}}-${{inputs.os}}-python-${{inputs.python-version}}
+          restore-keys: ${{inputs.plugin}}
+      - name: Install uv
+        run: |
+          python -m pip install "uv==0.2.21"
+      - name: Install dependencies
+        run: |
+          cd ${{ inputs.plugin }}
+          uv pip install --system "kedro @ git+https://github.com/kedro-org/kedro@main"
+          uv pip install --system "${{inputs.plugin}}[lint] @ ."
+          uv pip freeze --system
+      - name: Install pre-commit hooks
+        run: |
+          pre-commit install --install-hooks
+          pre-commit install --hook-type pre-push
+      - name: Scan all tracked files
+        run: git ls-files ":(glob)*" ${{ inputs.plugin }} -z | xargs -0 detect-secrets-hook --baseline .secrets.baseline
diff --git a/.github/workflows/kedro-airflow.yml b/.github/workflows/kedro-airflow.yml
@@ -46,3 +46,10 @@ jobs:
       plugin: kedro-airflow
       os: ${{ matrix.os }}
       python-version: ${{ matrix.python-version }}
+
+  detect-secrets:
+    uses: ./.github/workflows/detect-secrets.yml
+    with:
+      plugin: kedro-airflow
+      os: ubuntu-latest
+      python-version: "3.11"
diff --git a/.github/workflows/kedro-datasets.yml b/.github/workflows/kedro-datasets.yml
@@ -61,3 +61,10 @@ jobs:
       - name: Documentation check for kedro-datasets
         run: |
           make check-datasets-docs
+
+  detect-secrets:
+    uses: ./.github/workflows/detect-secrets.yml
+    with:
+      plugin: kedro-datasets
+      os: ubuntu-latest
+      python-version: "3.11"
diff --git a/.github/workflows/kedro-docker.yml b/.github/workflows/kedro-docker.yml
@@ -46,3 +46,10 @@ jobs:
       plugin: kedro-docker
       os: ${{ matrix.os }}
       python-version: ${{ matrix.python-version }}
+
+  detect-secrets:
+    uses: ./.github/workflows/detect-secrets.yml
+    with:
+      plugin: kedro-docker
+      os: ubuntu-latest
+      python-version: "3.11"
diff --git a/.github/workflows/kedro-telemetry.yml b/.github/workflows/kedro-telemetry.yml
@@ -35,3 +35,10 @@ jobs:
       plugin: kedro-telemetry
       os: ubuntu-latest
       python-version: "3.11"
+
+  detect-secrets:
+    uses: ./.github/workflows/detect-secrets.yml
+    with:
+      plugin: kedro-telemetry
+      os: ubuntu-latest
+      python-version: "3.11"
diff --git a/.github/workflows/validate-pr-title.yaml b/.github/workflows/validate-pr-title.yaml
@@ -19,5 +19,6 @@ jobs:
             datasets
             docker
             telemetry
+            all
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -24,6 +24,12 @@ repos:
       additional_dependencies:
         - black==22.12.0
 
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        args: [ '--baseline', '.secrets.baseline' ]
+
   - repo: local
     hooks:
       - id: ruff-kedro-datasets
@@ -86,12 +92,6 @@ repos:
         pass_filenames: false
         entry: black kedro-telemetry/kedro_telemetry kedro-telemetry/tests
 
-      - id: secret_scan
-        name: "Secret scan"
-        language: system
-        pass_filenames: false
-        entry: make secret-scan
-
       - id: bandit
         name: "Bandit security check"
         language: system