ci: add git-secrets workflow

pranavosu · pranavosu · commit c5bacf90be12 · 2025-12-03T07:39:53.000-08:00
diff --git a/.github/workflows/callable-git-secrets-check.yml b/.github/workflows/callable-git-secrets-check.yml
@@ -0,0 +1,25 @@
+name: Git Secrets Check
+on: workflow_call
+
+jobs:
+  git_secrets_check:
+    name: Scan for secrets
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          path: amplify-js
+
+      - name: Install git-secrets
+        run: |
+          git clone https://github.com/awslabs/git-secrets.git
+          cd git-secrets
+          sudo make install
+
+      - name: Register AWS patterns and scan
+        working-directory: ./amplify-js
+        run: |
+          git secrets --register-aws
+          # Scan only the files in the current checkout (PR merge commit)
+          git secrets --scan
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -43,6 +43,8 @@ jobs:
   dependency-review:
     needs: prebuild
     uses: ./.github/workflows/callable-dependency-review.yml
+  git-secrets-check:
+    uses: ./.github/workflows/callable-git-secrets-check.yml
   all-unit-tests-pass:
     name: Unit and Bundle tests have passed
     needs:
@@ -52,6 +54,7 @@ jobs:
       - github-actions-test
       - tsc-compliance-test
       - dependency-review
+      - git-secrets-check
     runs-on: ubuntu-latest
     if: success() # only run when all checks have passed
     # store success output flag for ci job
