Update dependency litellm to v1.91.0 #282
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Server-side secret scanning that uses NO third-party Actions, so it runs | |
| # under the IBM org policy "Allow IBM, and select non-IBM, actions". | |
| # Only actions/checkout (GitHub-created, already allowed) is used; the scanners | |
| # are installed via plain shell steps, which the org action policy does not gate. | |
| # Place this file at: .github/workflows/secret-scan.yml | |
| name: Secret Scan | |
| on: | |
| push: | |
| branches: ['**'] | |
| pull_request: | |
| branches: ['**'] | |
| schedule: | |
| - cron: '0 6 * * 1' # weekly full-history sweep, Mondays 06:00 UTC | |
| permissions: | |
| contents: read | |
| jobs: | |
| gitleaks: | |
| name: Gitleaks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v7 | |
| with: | |
| fetch-depth: 0 # full history so the scan covers all commits | |
| - name: Install gitleaks | |
| run: | | |
| VERSION=8.21.2 | |
| curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \ | |
| | tar -xz -C /usr/local/bin gitleaks | |
| gitleaks version | |
| - name: Run gitleaks | |
| run: gitleaks detect --source . --redact --verbose | |
| # gitleaks auto-loads .gitleaks.toml from the repo root and | |
| # exits non-zero if any secret is found, failing the check. | |
| trufflehog: | |
| name: TruffleHog | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v7 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install trufflehog | |
| run: | | |
| curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh \ | |
| | sh -s -- -b /usr/local/bin v3.82.6 | |
| trufflehog --version | |
| - name: Run trufflehog | |
| run: trufflehog git "file://." --results=verified --fail | |
| # --fail makes the job exit non-zero when verified/unknown secrets are found. |