ci(security): bump gitleaks to 8.30.1 (#86) #87

Merged
james merged 1 commit from 85-gitleaks-broaden-forgejo-mcp into main 2026-06-18 01:02:51 +00:00
Owner

Closes #86.

Summary

GITLEAKS_VERSION: 8.21.2 → 8.30.1 in .forgejo/workflows/secrets.yml. That's the entire change.

Why the version bump, not a broader allowlist

#86 was originally scoped to broadening the .gitleaks.toml allowlist to exempt forgejo-mcp.md entirely, on the theory that "this file is documentation, don't worry about it". The version bump achieves the same outcome with less collateral:

  • 8.30.1's default rule pack no longer flags the patterns in forgejo-mcp.md that 8.21.2 was tripping on (OIDC scope strings, OAuth-shaped literals, etc).
  • The narrow [[allowlists]] block from #77 (paths = forgejo-mcp.md, regexes = 64-hex-char) stays in place — it still scopes-down hex digests if a future rule-pack iteration re-introduces a heuristic that matches them.
  • Real secrets in forgejo-mcp.md (auth tokens, OAuth client_secrets) still get caught — neither the bump nor the existing allowlist exempts them.

If 8.30.1 ever re-introduces noise on this file, the next steps in order of severity are: tighten the existing allowlist's regexes to catch the new pattern; or only then broaden to exempt the whole file. We're not there yet.

Sanity checks

  • actionlint .forgejo/workflows/*.yml clean (0 findings).
  • gitleaks detect --source . locally — no leaks found.
  • CI secrets.yml workflow green on this PR.

Note on branch name

Branch is 85-gitleaks-broaden-forgejo-mcp — that was the working name before the approach narrowed to a version bump. Title and commit reflect the actual change.

Closes #86. ## Summary `GITLEAKS_VERSION: 8.21.2 → 8.30.1` in `.forgejo/workflows/secrets.yml`. That's the entire change. ## Why the version bump, not a broader allowlist #86 was originally scoped to broadening the `.gitleaks.toml` allowlist to exempt `forgejo-mcp.md` entirely, on the theory that "this file is documentation, don't worry about it". The version bump achieves the same outcome with less collateral: - 8.30.1's default rule pack no longer flags the patterns in `forgejo-mcp.md` that 8.21.2 was tripping on (OIDC scope strings, OAuth-shaped literals, etc). - The narrow `[[allowlists]]` block from #77 (`paths = forgejo-mcp.md`, `regexes = 64-hex-char`) stays in place — it still scopes-down hex digests if a future rule-pack iteration re-introduces a heuristic that matches them. - Real secrets in `forgejo-mcp.md` (auth tokens, OAuth client_secrets) still get caught — neither the bump nor the existing allowlist exempts them. If 8.30.1 ever re-introduces noise on this file, the next steps in order of severity are: tighten the existing allowlist's `regexes` to catch the new pattern; or only then broaden to exempt the whole file. We're not there yet. ## Sanity checks - [x] `actionlint .forgejo/workflows/*.yml` clean (0 findings). - [x] `gitleaks detect --source .` locally — `no leaks found`. - [x] CI `secrets.yml` workflow green on this PR. ## Note on branch name Branch is `85-gitleaks-broaden-forgejo-mcp` — that was the working name before the approach narrowed to a version bump. Title and commit reflect the actual change.
ci(security): bump gitleaks to 8.30.1 (#86)
All checks were successful
PR / OSV-Scanner (pull_request) Successful in 19s
Secrets / gitleaks (pull_request) Successful in 20s
PR / Trivy (image) (pull_request) Successful in 34s
PR / Static analysis (Semgrep) (pull_request) Successful in 39s
PR / Lint (pull_request) Successful in 2m44s
PR / Typecheck (pull_request) Successful in 3m1s
PR / npm audit (pull_request) Successful in 3m0s
PR / Test (sqlite) (pull_request) Successful in 3m0s
PR / Build (pull_request) Successful in 3m25s
PR / Test (postgres) (pull_request) Successful in 3m40s
47acafc57a
CI was pinned to gitleaks 8.21.2, whose rule pack repeatedly flags
benign content in forgejo-mcp.md (OIDC scope strings, OAuth-shaped
literals, etc). 8.30.1's rules don't trip on those — verified against
the current file locally — so the cleaner fix is bumping the pin
rather than carving out broader allowlists in .gitleaks.toml.

Sanity check: actionlint passes on every file in .forgejo/workflows/
after the bump.

The original ticket (#86) was scoped to broadening the allowlist;
landing the version bump instead achieves the same outcome — CI green
on forgejo-mcp.md — without weakening the defense-in-depth that the
narrow #77 allowlist provides for any future hex-string false
positives. Closes #86.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
james merged commit c0c5ea6ad0 into main 2026-06-18 01:02:51 +00:00
Sign in to join this conversation.
No description provided.