Skip to content

ci: fix secret-scan workflow — drop gitleaks-action, add persist-credentials: false#93

Closed
Copilot wants to merge 4 commits intomainfrom
copilot/sub-pr-92
Closed

ci: fix secret-scan workflow — drop gitleaks-action, add persist-credentials: false#93
Copilot wants to merge 4 commits intomainfrom
copilot/sub-pr-92

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 1, 2026
edited
Loading

gitleaks/gitleaks-action@v2 silently skips scanning on fork PRs without a paid GITLEAKS_LICENSE secret — the highest-risk event goes unscanned. The checkout step also lacked persist-credentials: false, inconsistent with the security posture applied to every other workflow in this PR.

Changes

  • Replace gitleaks-action with CLI: Install gitleaks binary directly via curl + tar (pinned version via GITLEAKS_VERSION env var); run gitleaks detect --source . -v. No license required, no fork-PR gap.
  • persist-credentials: false: Added to the actions/checkout@v4 step in secret-scan.yml, aligning with ci.yml and dependency-review.yml.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Aureliolo and others added 4 commits March 1, 2026 18:35
@Aureliolo
ci: harden CI/CD pipeline
6e339d4 
- Run mypy on tests/ in addition to src/ (enforcement was local-only)
- Add gitleaks secret scanning workflow (push/PR + weekly schedule)
- Integrate Codecov for coverage reporting (replaces artifact uploads)
- Tighten dependency review with AGPL license deny-list and PR comments
- Add commit-message prefixes and PR limit to Dependabot config
- Remove Dependabot auto-merge workflow (no auto-merging)
- Add top-level permissions: {} deny-all default with per-job grants
- Add persist-credentials: false on all checkout steps
- Smarter concurrency (only cancel stale PR runs, not main pushes)
- Add workflow_dispatch trigger for manual CI runs
@Aureliolo
fix: address PR review comments on secret-scan workflow
5fbe04e 
- Switch from gitleaks-action (requires paid license for fork PRs) to
  CLI-based gitleaks install (free for OSS, no license gap)
- Add persist-credentials: false to secret-scan checkout (consistency)
- Pin gitleaks version for reproducible builds
@Aureliolo
fix: address PR review comments
e1fa8fe 
- Switch from gitleaks-action (requires paid license for fork PRs) to
  CLI-based gitleaks install (free for OSS, no license gap)
- Add persist-credentials: false to secret-scan checkout (consistency)
- Pin gitleaks version for reproducible builds
- Replace deprecated deny-licenses with allow-licenses allow-list
  (MIT, Apache-2.0, BSD-2/3-Clause, ISC, MPL-2.0, PSF-2.0, etc.)
Initial plan
77d9bb3
Copilot AI mentioned this pull request Mar 1, 2026
Merged
7 tasks
Copilot AI changed the title [WIP] Harden CI/CD pipeline with new workflows and integrations ci: fix secret-scan workflow — drop gitleaks-action, add persist-credentials: false Mar 1, 2026
Base automatically changed from ci/harden-pipeline to main March 1, 2026 18:02
@Aureliolo
Copy link
Copy Markdown
Owner

Aureliolo commented Mar 1, 2026

Closing: all changes here are already covered (and improved upon) by #92 which landed as ce4693c. PR #92 includes checksum verification for the gitleaks binary and PR-aware scanning with --log-opts, which this PR lacks.

@Aureliolo Aureliolo closed this Mar 1, 2026
@Aureliolo Aureliolo deleted the copilot/sub-pr-92 branch March 8, 2026 19:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aureliolo Aureliolo Awaiting requested review from Aureliolo Aureliolo will be requested when the pull request is marked ready for review Aureliolo is a code owner

Assignees

@Aureliolo Aureliolo

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Aureliolo