From 25e1f4cba091e632d91d464353520be514e4eaa2 Mon Sep 17 00:00:00 2001 From: David Karnok Date: Tue, 17 Mar 2026 13:13:59 +0100 Subject: [PATCH 1/4] Update entropy-beauty-scan.yml Fix for 3rd party PRs unable to post back the beauty comment. --- .github/workflows/entropy-beauty-scan.yml | 58 +++++++++++++++++++++-- 1 file changed, 54 insertions(+), 4 deletions(-) diff --git a/.github/workflows/entropy-beauty-scan.yml b/.github/workflows/entropy-beauty-scan.yml index b9a236d078..6b3b3cfa49 100644 --- a/.github/workflows/entropy-beauty-scan.yml +++ b/.github/workflows/entropy-beauty-scan.yml @@ -1,6 +1,6 @@ name: Entropy Beauty + TruffleHog Scan -on: [push, pull_request, release] +on: [push, release, pull_request_target] permissions: contents: read @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code (full history) - uses: actions/checkout@v6 + uses: actions/checkout@v4 with: fetch-depth: 0 @@ -26,8 +26,8 @@ jobs: run: python .github/workflows/compute-entropy.py - name: Post summary comment (PR only) - if: github.event_name == 'pull_request' - uses: actions/github-script@v8 + if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' + uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -71,3 +71,53 @@ jobs: issue_number: context.issue.number, body: body }); + # ── Create issue on push ONLY if suspicious (entropy outside 4.3–4.7) ── + - name: Create issue on suspicious push + if: github.event_name == 'push' && github.event_name != 'pull_request' && github.event_name != 'pull_request_target' + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const fs = require('fs'); + const beauty = JSON.parse(fs.readFileSync('/tmp/beauty.json', 'utf8')); + + // Only create issue if it's NOT beautiful mid-4 + if (beauty.average_entropy >= 4.3 && beauty.average_entropy <= 4.7) { + console.log("✅ Mid-4 beauty — no issue created"); + return; + } + + let findings = []; + if (fs.existsSync('trufflehog.json')) { + try { + const lines = fs.readFileSync('trufflehog.json', 'utf8').trim().split('\n'); + findings = lines.map(line => { + try { return JSON.parse(line); } catch(e) { return null; } + }).filter(Boolean); + } catch(e) {} + } + + let body = `**Average entropy:** ${beauty.average_entropy} bits/char\n\n`; + body += `**Verdict:** ${beauty.verdict}\n\n`; + + if (beauty.files && beauty.files.length) { + body += `**Changed files:**\n\`\`\`\n${beauty.files.join('\n')}\n\`\`\`\n\n`; + } + + if (findings.length > 0) { + body += `**TruffleHog found ${findings.length} potential issue(s)**\n`; + } else { + body += `✅ No secrets or suspicious high-entropy strings found.\n`; + } + + body += `\n*Triggered by push to \`${context.sha}\` — mid-4 beauty heuristic*`; + + await github.rest.issues.create({ + owner: context.repo.owner, + repo: context.repo.repo, + title: `🚨 Suspicious entropy detected in recent push (${beauty.average_entropy})`, + body: body, + labels: ['entropy', 'security', 'review-needed'] + }); + + console.log("⚠️ Created issue because entropy was outside mid-4 range"); From b3f5177a7d72e81a5c32fea5e615319e22e5cd11 Mon Sep 17 00:00:00 2001 From: David Karnok Date: Tue, 17 Mar 2026 13:19:57 +0100 Subject: [PATCH 2/4] Fix comment missing another comment back case. --- .github/workflows/entropy-beauty-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/entropy-beauty-scan.yml b/.github/workflows/entropy-beauty-scan.yml index 6b3b3cfa49..e6c3df9cc2 100644 --- a/.github/workflows/entropy-beauty-scan.yml +++ b/.github/workflows/entropy-beauty-scan.yml @@ -1,6 +1,6 @@ name: Entropy Beauty + TruffleHog Scan -on: [push, release, pull_request_target] +on: [push, release, pull_request, pull_request_target] permissions: contents: read @@ -73,7 +73,7 @@ jobs: }); # ── Create issue on push ONLY if suspicious (entropy outside 4.3–4.7) ── - name: Create issue on suspicious push - if: github.event_name == 'push' && github.event_name != 'pull_request' && github.event_name != 'pull_request_target' + if: github.event_name == 'push' || github.event_name == 'release' uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} From ea9268bfcc6dedc36fff5cb540b7910a6fb57727 Mon Sep 17 00:00:00 2001 From: David Karnok Date: Tue, 17 Mar 2026 16:13:11 +0100 Subject: [PATCH 3/4] Update entropy-beauty-scan.yml Not sure why the version numbers went back. --- .github/workflows/entropy-beauty-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/entropy-beauty-scan.yml b/.github/workflows/entropy-beauty-scan.yml index e6c3df9cc2..8f0206a1f0 100644 --- a/.github/workflows/entropy-beauty-scan.yml +++ b/.github/workflows/entropy-beauty-scan.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code (full history) - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 @@ -27,7 +27,7 @@ jobs: - name: Post summary comment (PR only) if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | From 79dcd9c991b8b00b1b0268d043fb766e7bd7186a Mon Sep 17 00:00:00 2001 From: David Karnok Date: Tue, 17 Mar 2026 16:13:53 +0100 Subject: [PATCH 4/4] Update entropy-beauty-scan.yml another version regression fixed --- .github/workflows/entropy-beauty-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/entropy-beauty-scan.yml b/.github/workflows/entropy-beauty-scan.yml index 8f0206a1f0..0923ba510d 100644 --- a/.github/workflows/entropy-beauty-scan.yml +++ b/.github/workflows/entropy-beauty-scan.yml @@ -74,7 +74,7 @@ jobs: # ── Create issue on push ONLY if suspicious (entropy outside 4.3–4.7) ── - name: Create issue on suspicious push if: github.event_name == 'push' || github.event_name == 'release' - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: |