linter

.github/workflows/dontstealmesecrets.yaml

@@ -0,0 +1,32 @@
+name: Lint secrets:inherit usage
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+
+jobs:
+  check-secrets-inherit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check for secrets:inherit in PR workflows
+        run: |
+          found_issue=false
+          for file in .github/workflows/*.{yml,yaml}; do
+            if [ -f "$file" ] && [ "$(basename "$file")" != "lint-secrets.yml" ]; then
+              if grep -l "on:.*pull_request" "$file" >/dev/null; then
+                line_num=$(grep -n "secrets:\s*inherit" "$file" | cut -d: -f1)
+                if [ ! -z "$line_num" ]; then
+                  echo "::error file=$file,line=$line_num::Security risk: 'secrets: inherit' used in pull request workflow. This could allow secret exfiltration by malicious PRs."
+                  found_issue=true
+                fi
+              fi
+            fi
+          done
+          
+          if [ "$found_issue" = true ]; then
+            exit 1
+          fi
+