check_secret_replacement.yaml

name: Check missed fields during secret generation

on:
  pull_request:
    branches:
      - '**' # This will trigger the workflow for any PR branch

jobs:
  check_secrets:
         runs-on: ubuntu-latest

         steps:
           - name: Checkout repository
             uses: actions/checkout@v2

           - name: Install yq
             uses: dcarbone/install-yq-action@v1.1.1

           - name: Run bin/generate-secrets
             run: bin/generate-secrets

           - name: Check all "secret" fields are replaced
             run: |
               mistakes=$(yq e '.. | select(. == "secret") | {(path | join(".")): .}' etc/secrets.yaml); \
               num_of_mistakes=$(echo $mistakes | sed '/^$/d' | wc -l); \
               if (( $num_of_mistakes > 0 )); then \
                echo "Not all 'secret' fields were replaced by the bin/generate-secrets script."; \
                echo "Please make sure to cover the following fields with an 'insert_secret' entry:"; \
                echo $mistakes; \
                exit 1; \
               else \
                echo "Perfect! All 'secret' fields were replaced by the bin/generate-secrets script."; \
                exit 0; \
               fi;