ci(security): bump gitleaks to 8.30.1 (#86) #87
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!87
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "85-gitleaks-broaden-forgejo-mcp"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #86.
Summary
GITLEAKS_VERSION: 8.21.2 → 8.30.1in.forgejo/workflows/secrets.yml. That's the entire change.Why the version bump, not a broader allowlist
#86 was originally scoped to broadening the
.gitleaks.tomlallowlist to exemptforgejo-mcp.mdentirely, on the theory that "this file is documentation, don't worry about it". The version bump achieves the same outcome with less collateral:forgejo-mcp.mdthat 8.21.2 was tripping on (OIDC scope strings, OAuth-shaped literals, etc).[[allowlists]]block from #77 (paths = forgejo-mcp.md,regexes = 64-hex-char) stays in place — it still scopes-down hex digests if a future rule-pack iteration re-introduces a heuristic that matches them.forgejo-mcp.md(auth tokens, OAuth client_secrets) still get caught — neither the bump nor the existing allowlist exempts them.If 8.30.1 ever re-introduces noise on this file, the next steps in order of severity are: tighten the existing allowlist's
regexesto catch the new pattern; or only then broaden to exempt the whole file. We're not there yet.Sanity checks
actionlint .forgejo/workflows/*.ymlclean (0 findings).gitleaks detect --source .locally —no leaks found.secrets.ymlworkflow green on this PR.Note on branch name
Branch is
85-gitleaks-broaden-forgejo-mcp— that was the working name before the approach narrowed to a version bump. Title and commit reflect the actual change.