ci(secret-scanner): make gitleaks gate for real, not continue-on-error#500
Open
hyperpolymath wants to merge 1 commit into
Open
ci(secret-scanner): make gitleaks gate for real, not continue-on-error#500hyperpolymath wants to merge 1 commit into
hyperpolymath wants to merge 1 commit into
Conversation
The gitleaks job carried continue-on-error: true (comment: gitleaks-action tool-cache PATH injection unreliable on self-hosted runners), so the estate's primary secret scanner could not fail a single PR anywhere it is used. Replace gitleaks/gitleaks-action with a pinned, checksum-verified gitleaks 8.18.4 binary run directly (gitleaks detect --source . --no-git --exit-code 1). A direct install is deterministic on every runner, removing the exact unreliability the continue-on-error was papering over, so the scan now gates. Comments/summary were already disabled via env vars, so the action provided only the scan; the swap loses no functionality and drops the now-unneeded GITHUB_TOKEN env and fetch-depth: 0. Verified locally with the pinned binary: checksum matches; a private-key fixture exits 1, a clean tree exits 0; actionlint clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
hyperpolymath
marked this pull request as ready for review
July 17, 2026 22:02
hyperpolymath
enabled auto-merge (rebase)
July 17, 2026 22:02
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Problem
The
gitleaksjob insecret-scanner-reusable.ymlcarriedcontinue-on-error: true:So the estate's primary secret scanner cannot fail a single PR anywhere this
reusable is consumed. The flag was a workaround for a real infra problem — the
gitleaks-actioninjects gitleaks into the runner tool-cache and prepends it toPATH, which is unreliable on self-hosted runners — but the workaround throwsout the signal with the flakiness: a genuinely leaked secret now passes green.
Fix
Replace the flaky action with a pinned, checksum-verified gitleaks 8.18.4
binary run directly, and let it gate:
A pinned direct install is deterministic on every runner — it removes the exact
unreliability the
continue-on-errorwas papering over — so the scan can gatefor real. Comments/summary were already disabled via env vars, so the action
provided only the scan; the swap loses no functionality and drops the
now-unneeded
GITHUB_TOKENenv andfetch-depth: 0. (secrets: inheritis nolonger required by this job; harmless if callers keep it.)
Verification
Exercised the exact install + scan logic locally with the pinned binary:
gitleaks_8.18.4_linux_x64.tar.gzmatches (sha256sum -c→ OK);actionlintclean on the changed steps.Note: reusable-workflow changes are not self-tested in this repo — the caller
secret-scanner.ymlpins the reusable at a fixed SHA, so this repo's own PR CIruns the old reusable. The change is exercised once a consumer re-pins to a SHA
containing it.
Running the new gate against this repo's own tree surfaces 15 findings —
all false positives, not real secrets:
avow-protocol/**/deno.lock(integrity hashes).md/examples.ndjsonlol/analysis/Project.toml(Julia UUIDs)docs/audits/…a2mlavow-lib/ffi/zig/src/example.zigLockfiles and UUID-bearing manifests are everywhere in the estate, so flipping
gitleaks to gating without a shared allowlist would cry wolf across many
repos — noise that trains people to ignore the gate, the opposite of the goal.
Companion work needed before re-pinning consumers: a canonical
.gitleaks.toml(allowlist*.lock, UUID manifests,example/fixture/docspaths) passed to callers via
--config, or per-repo allowlists. Kept out of thisPR to keep it surgical.
Related follow-ups (separate PRs)
governance-reusable.yml: "Code quality + docs" and "Guix primary / Nixfallback policy" jobs currently cannot fail (no
exit 1); the redundanttrufflehog there (also
continue-on-error) is better removed per thisreusable's own "trufflehog removed as redundant" note. Deferred pending a
decision on the existing
advisory-firstdesign stance.