ci: add secret-scan job to ci.yml (issue #171)#241
Conversation
Adds the required `secret-scan` job to `.github/workflows/ci.yml` per the org push-protection standard (Layer 3 — CI Secret Scanning). The job: - Checks out full git history (fetch-depth: 0) - Runs gitleaks-action@v2.3.9 (SHA-pinned) - Passes --redact and --exit-code 1 per the standard template - Uses security-events: write permission (SARIF upload) Closes #171 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 31 minutes and 17 seconds.Comment |
|
Closing — created before v1 tag was updated to include the dedup fix. Re-testing now. |
|
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a required CI secret-scanning job to the existing GitHub Actions workflow to meet the org push-protection standard (Layer 3 — CI Secret Scanning).
Changes:
- Introduces a new
secret-scanjob in.github/workflows/ci.yml - Checks out full git history (
fetch-depth: 0) for scanning - Runs
gitleaks/gitleaks-actionwith redaction and failing exit code on findings
| # then dereference if it points at an annotated tag. | ||
| uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 | ||
| with: | ||
| args: detect --source . --redact --verbose --exit-code 1 |
| # then dereference if it points at an annotated tag. | ||
| uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 | ||
| with: | ||
| args: detect --source . --redact --verbose --exit-code 1 |



Summary
secret-scanjob to.github/workflows/ci.ymlper the org push-protection standard (Layer 3 — CI Secret Scanning)fetch-depth: 0), runsgitleaks-action@v2.3.9(SHA-pinned), with--redactand--exit-code 1ff98106e4c7b2bc287b24eaf42907196329070c7← confirmed viagh api repos/gitleaks/gitleaks-action/git/refs/tags/v2.3.9GITLEAKS_LICENSErequired (matches the standard template which also omits it)Closes #171
Self-review checklist
actions/checkout)de0fac2e4...— matches existingci.ymlgitleaks/gitleaks-action@v2.3.9)ff98106e4...— verified viagh apifetch-depth: 0(full history scan)--redact(no secrets in logs)--exit-code 1(fails build on finding)GITHUB_TOKENenv varsecurity-events: writepermissionuses: gitleaks/gitleaks-action@)Notes
Supersedes PRs #190, #198, #215, and #240 — all can be closed.
Generated with Claude Code