sentinel-ci 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/lib/clone_client.rb +41 -14
- data/lib/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d80229adb1733c9bd79d6770c46d0b117702fc4ff1fe71e99d1afa5fe3b78ffe
|
|
4
|
+
data.tar.gz: 2592ada1faa0fbf3917431c6baf4b341ab34a5d9d424a7caee20ec7a701e2779
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ccd23b049b0582c04b90baa5a9112197fb7c0407078edfd043c3ddcf93857a9adade4a9c83a1a46c6fe9dcc2ea1cd2c133664dc3c6f19a0a79617fe741dc163d
|
|
7
|
+
data.tar.gz: da385d744d1897516f8422bc80701076c972a82014175ba1a6c0b4eac2b86852169b5635b7ad30a25008b45fe903dfcf5346a89e3f3f2f275fdca32454d51f00
|
data/CHANGELOG.md
CHANGED
data/lib/clone_client.rb
CHANGED
|
@@ -19,25 +19,16 @@ class CloneClient
|
|
|
19
19
|
|
|
20
20
|
@tmpdir = Dir.mktmpdir("sentinel-")
|
|
21
21
|
|
|
22
|
-
|
|
23
|
-
success = system(
|
|
24
|
-
"git", "clone", "--depth", "1", "--filter=blob:none", "--sparse",
|
|
25
|
-
"https://github.com/#{repo}.git", @tmpdir,
|
|
26
|
-
[:out, :err] => File::NULL
|
|
27
|
-
)
|
|
22
|
+
success = try_clone(repo)
|
|
28
23
|
|
|
29
24
|
unless success
|
|
30
25
|
$stderr.puts ""
|
|
31
26
|
$stderr.puts "ERROR: Could not access #{repo}"
|
|
32
27
|
$stderr.puts ""
|
|
33
|
-
$stderr.puts "
|
|
34
|
-
$stderr.puts ""
|
|
35
|
-
$stderr.puts "
|
|
36
|
-
$stderr.puts "
|
|
37
|
-
$stderr.puts ""
|
|
38
|
-
$stderr.puts "Or pass a token directly:"
|
|
39
|
-
$stderr.puts ""
|
|
40
|
-
$stderr.puts " sentinel scan --token ghp_xxx #{repo}"
|
|
28
|
+
$stderr.puts "If this is a private repo, make sure git can authenticate:"
|
|
29
|
+
$stderr.puts " - SSH key configured (git clone git@github.com:#{repo})"
|
|
30
|
+
$stderr.puts " - Or: gh auth login"
|
|
31
|
+
$stderr.puts " - Or: export GITHUB_TOKEN=$(gh auth token)"
|
|
41
32
|
$stderr.puts ""
|
|
42
33
|
exit 2
|
|
43
34
|
end
|
|
@@ -63,4 +54,40 @@ class CloneClient
|
|
|
63
54
|
def cleanup
|
|
64
55
|
FileUtils.rm_rf(@tmpdir) if @tmpdir
|
|
65
56
|
end
|
|
57
|
+
|
|
58
|
+
private
|
|
59
|
+
|
|
60
|
+
CLONE_ARGS = %w[--depth 1 --filter=blob:none --sparse].freeze
|
|
61
|
+
|
|
62
|
+
def try_clone(repo)
|
|
63
|
+
# 1. HTTPS — works for public repos and if credential helper is configured
|
|
64
|
+
return true if try_url("https://github.com/#{repo}.git")
|
|
65
|
+
|
|
66
|
+
# 2. SSH — works if SSH key is configured
|
|
67
|
+
return true if try_url("git@github.com:#{repo}.git")
|
|
68
|
+
|
|
69
|
+
# 3. HTTPS with gh auth token — works if gh CLI is authenticated
|
|
70
|
+
token = detect_gh_token
|
|
71
|
+
if token
|
|
72
|
+
return true if try_url("https://x-access-token:#{token}@github.com/#{repo}.git")
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
false
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
def try_url(url)
|
|
79
|
+
FileUtils.rm_rf(Dir.children(@tmpdir)) if @tmpdir && File.directory?(@tmpdir)
|
|
80
|
+
system("git", "clone", *CLONE_ARGS, url, @tmpdir, [:out, :err] => File::NULL)
|
|
81
|
+
end
|
|
82
|
+
|
|
83
|
+
def detect_gh_token
|
|
84
|
+
return ENV["GITHUB_TOKEN"] if ENV["GITHUB_TOKEN"]
|
|
85
|
+
|
|
86
|
+
gh_path = `which gh 2>/dev/null`.strip
|
|
87
|
+
return nil if gh_path.empty?
|
|
88
|
+
return nil unless system("gh", "auth", "status", [:out, :err] => File::NULL)
|
|
89
|
+
|
|
90
|
+
token = `gh auth token 2>/dev/null`.strip
|
|
91
|
+
token.empty? ? nil : token
|
|
92
|
+
end
|
|
66
93
|
end
|
data/lib/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sentinel-ci
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jordan Ritter
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2026-05-
|
|
11
|
+
date: 2026-05-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies: []
|
|
13
13
|
description: Scan GitHub Actions workflows for 28 security vulnerabilities. SHA pinning,
|
|
14
14
|
shell injection, credential exposure, dangerous triggers. Optional AI-powered remediation
|