From 5c8de84256c7fd7372bdad848ad8ee23316458c4 Mon Sep 17 00:00:00 2001
From: GeWuYou <95328647+GeWuYou@users.noreply.github.com>
Date: Mon, 2 Feb 2026 12:20:56 +0800
Subject: [PATCH] =?UTF-8?q?chore(ci):=20=E6=9B=B4=E6=96=B0CI=E5=B7=A5?=
 =?UTF-8?q?=E4=BD=9C=E6=B5=81=E9=85=8D=E7=BD=AE=E4=BB=A5=E9=9B=86=E6=88=90?=
 =?UTF-8?q?MegaLinter=E5=92=8CSARIF=E6=8A=A5=E5=91=8A?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 在.gitleaks.toml中添加测试凭证白名单注释说明
- 为MegaLinter步骤添加代码质量检查和安全扫描功能
- 配置FAIL_ON_ERROR环境变量在main分支上失败时停止
- 添加SARIF报告上传步骤到GitHub安全中心
- 更新TruffleHog扫描步骤的中文注释说明
---
 .github/workflows/ci.yml | 8 ++++++++
 .gitleaks.toml           | 2 ++
 2 files changed, 10 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a23cc37..9223e8c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,11 +23,19 @@ jobs:
         with:
           fetch-depth: 0
       # MegaLinter扫描步骤
+      # 执行代码质量检查和安全扫描，生成SARIF格式报告
       - name: MegaLinter
         uses: oxsecurity/megalinter@v9.3.0
         continue-on-error: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          FAIL_ON_ERROR: ${{ github.ref == 'refs/heads/main' }}
+      # 上传SARIF格式的安全和代码质量问题报告到GitHub安全中心
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: megalinter-reports/sarif
+
       # TruffleHog OSS 扫描步骤
       # 使用 TruffleHog 工具扫描代码库中的敏感信息泄露，如API密钥、密码等
       # 该步骤会比较基础分支和当前提交之间的差异，检测新增内容中是否包含敏感数据
diff --git a/.gitleaks.toml b/.gitleaks.toml
index ce26c33..07b4976 100644
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -1,3 +1,5 @@
+# Allowlist for fake/test/demo secrets only
+# DO NOT add real credentials here
 [allowlist]
 description = "Ignore test/demo secrets"