Skip to content

ci: add secret-scan job to ci.yml (issue #171)#241

Closed
don-petry wants to merge 1 commit into
mainfrom
claude/issue-171-20260503-1523
Closed

ci: add secret-scan job to ci.yml (issue #171)#241
don-petry wants to merge 1 commit into
mainfrom
claude/issue-171-20260503-1523

Conversation

@don-petry

Copy link
Copy Markdown
Collaborator

Summary

  • Adds the required secret-scan job to .github/workflows/ci.yml per the org push-protection standard (Layer 3 — CI Secret Scanning)
  • Job checks out full git history (fetch-depth: 0), runs gitleaks-action@v2.3.9 (SHA-pinned), with --redact and --exit-code 1
  • SHA verified: ff98106e4c7b2bc287b24eaf42907196329070c7 ← confirmed via gh api repos/gitleaks/gitleaks-action/git/refs/tags/v2.3.9
  • Repo is public — no GITLEAKS_LICENSE required (matches the standard template which also omits it)

Closes #171

Self-review checklist

Check Result
SHA pinning (actions/checkout) de0fac2e4... — matches existing ci.yml
SHA pinning (gitleaks/gitleaks-action@v2.3.9) ff98106e4... — verified via gh api
fetch-depth: 0 (full history scan) ✅ Present
--redact (no secrets in logs) ✅ Present
--exit-code 1 (fails build on finding) ✅ Present
GITHUB_TOKEN env var ✅ Present
security-events: write permission ✅ Present (for SARIF upload)
Compliance regex match (uses: gitleaks/gitleaks-action@) ✅ Matches

Notes

Supersedes PRs #190, #198, #215, and #240 — all can be closed.

Generated with Claude Code

Adds the required `secret-scan` job to `.github/workflows/ci.yml` per
the org push-protection standard (Layer 3 — CI Secret Scanning). The job:
- Checks out full git history (fetch-depth: 0)
- Runs gitleaks-action@v2.3.9 (SHA-pinned)
- Passes --redact and --exit-code 1 per the standard template
- Uses security-events: write permission (SARIF upload)

Closes #171

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 3, 2026 15:26
@coderabbitai

coderabbitai Bot commented May 3, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 31 minutes and 17 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1ae9d198-60fd-48f2-bf3b-8ad50efa1cc9

📥 Commits

Reviewing files that changed from the base of the PR and between f30e775 and 2b15943.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-171-20260503-1523

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
Review rate limit: 0/1 reviews remaining, refill in 31 minutes and 17 seconds.

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Collaborator Author

Closing — created before v1 tag was updated to include the dedup fix. Re-testing now.

@don-petry don-petry closed this May 3, 2026
@sonarqubecloud

sonarqubecloud Bot commented May 3, 2026

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a required CI secret-scanning job to the existing GitHub Actions workflow to meet the org push-protection standard (Layer 3 — CI Secret Scanning).

Changes:

  • Introduces a new secret-scan job in .github/workflows/ci.yml
  • Checks out full git history (fetch-depth: 0) for scanning
  • Runs gitleaks/gitleaks-action with redaction and failing exit code on findings

Comment thread .github/workflows/ci.yml
# then dereference if it points at an annotated tag.
uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
with:
args: detect --source . --redact --verbose --exit-code 1
Comment thread .github/workflows/ci.yml
# then dereference if it points at an annotated tag.
uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
with:
args: detect --source . --redact --verbose --exit-code 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: secret_scan_ci_job_present

2 participants