CI: fix vault file detection; remove plaintext vault
Some checks failed
CI / skip-ci-check (pull_request) Successful in 1m18s
CI / lint-and-test (pull_request) Failing after 1m19s
CI / ansible-validation (pull_request) Failing after 2m51s
CI / secret-scanning (pull_request) Successful in 1m19s
CI / dependency-scan (pull_request) Successful in 1m24s
CI / sast-scan (pull_request) Successful in 2m32s
CI / license-check (pull_request) Failing after 1m23s
CI / vault-check (pull_request) Successful in 2m14s
CI / playbook-test (pull_request) Failing after 2m27s
CI / container-scan (pull_request) Successful in 1m49s
CI / sonar-analysis (pull_request) Failing after 1m16s
CI / workflow-summary (pull_request) Successful in 1m17s
Some checks failed
CI / skip-ci-check (pull_request) Successful in 1m18s
CI / lint-and-test (pull_request) Failing after 1m19s
CI / ansible-validation (pull_request) Failing after 2m51s
CI / secret-scanning (pull_request) Successful in 1m19s
CI / dependency-scan (pull_request) Successful in 1m24s
CI / sast-scan (pull_request) Successful in 2m32s
CI / license-check (pull_request) Failing after 1m23s
CI / vault-check (pull_request) Successful in 2m14s
CI / playbook-test (pull_request) Failing after 2m27s
CI / container-scan (pull_request) Successful in 1m49s
CI / sonar-analysis (pull_request) Failing after 1m16s
CI / workflow-summary (pull_request) Successful in 1m17s
This commit is contained in:
parent
5ad985d9f8
commit
c5f01d27de
@ -291,7 +291,11 @@ jobs:
|
||||
run: |
|
||||
echo "Checking for Ansible Vault files..."
|
||||
# Intentionally skip *.example files: they are plaintext templates.
|
||||
vault_files=$(find . -name "*vault*.yml" -o -name "*vault*.yaml" | grep -v ".git" | grep -v ".example" || true)
|
||||
# Only treat conventional vault files as "must be encrypted":
|
||||
# - vault.yml / vault.yaml
|
||||
# - vault_*.yml / vault_*.yaml
|
||||
# Avoid false-positives like host_vars/vaultwardenVM.yml (host name contains "vault").
|
||||
vault_files=$(find . \( -name "vault.yml" -o -name "vault.yaml" -o -name "vault_*.yml" -o -name "vault_*.yaml" \) | grep -v ".git" | grep -v ".example" || true)
|
||||
if [ -z "$vault_files" ]; then
|
||||
echo "No vault files found"
|
||||
exit 0
|
||||
@ -300,7 +304,8 @@ jobs:
|
||||
for vault_file in $vault_files; do
|
||||
echo "Checking $vault_file..."
|
||||
# Check if file starts with ANSIBLE_VAULT header (doesn't require password)
|
||||
if head -n 1 "$vault_file" | grep -q "^\$ANSIBLE_VAULT"; then
|
||||
# Some vault files may start with '---' (YAML document start) on line 1.
|
||||
if head -n 5 "$vault_file" | grep -q "^\$ANSIBLE_VAULT"; then
|
||||
echo "✓ $vault_file is properly encrypted (has vault header)"
|
||||
else
|
||||
echo "✗ ERROR: $vault_file does not have ANSIBLE_VAULT header - may be unencrypted!"
|
||||
|
||||
@ -1,2 +0,0 @@
|
||||
---
|
||||
vault_devgpu_become_password: root
|
||||
Loading…
x
Reference in New Issue
Block a user