name: Detect Project ID leak # Controls when the workflow will run on: # Triggers the workflow on push or pull request events but only for the main branch push: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" check: # The type of runner that the job will run on runs-on: ubuntu-latest # Steps represent a sequence of tasks that will be executed as part of the job steps: - name: Checkout github repo (+ download lfs dependencies) # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it uses: actions/checkout@v2 with: lfs: true - name: Checkout LFS objects # needs to be done as a second step, lfs:true above just sets references, but doesn't actually dereference them... run: git lfs checkout # Find in project settings if there's any value in between "cloudProjectId: " and end of line. This exits 1 and fails the step if there's text there. - name: Run a one-line script run: python3 -c "import re; import sys;content=open('ProjectSettings/ProjectSettings.asset').read();res = re.search(r'.*cloudProjectId:.*\w+\s*\n', content)!=None;status = 1 if res else 0; print('status '+str(status)); sys.exit(res)" - name: Post to slack on failure if: ${{ failure() }} uses: slackapi/slack-github-action@v1.18.0 with: # Slack channel id, channel name, or user id to post message. # See also: https://api.slack.com/methods/chat.postMessage#channels channel-id: 'G01H7JP4AP2' # private channel # For posting a simple plain text message slack-message: "@here Project ID LEAK DETECTED: ${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}" env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} # can be found in https://api.slack.com/apps/