From 371ed8116f311326c16c00fa1f435477f85df17e Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Mon, 20 Apr 2026 16:29:14 -0400
Subject: [PATCH] Fix Python runner; add gitleaks secret scanning

- All Python jobs now install python3-pip via apt first (runner image
  has no pip by default)
- Added secret-scan job: gitleaks v8.21.2 scans full git history on
  every push/PR with --redact to avoid leaking found secrets in logs
- Added .gitleaks.toml allowlisting deploy/hooks-lxc*.json files
  (webhook HMAC secrets are intentional config, not leaks)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/lint.yml | 29 +++++++++++++++++++++++++----
 .gitleaks.toml            |  6 ++++++
 2 files changed, 31 insertions(+), 4 deletions(-)
 create mode 100644 .gitleaks.toml

diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml
index 17cec05..5d7b69e 100644
--- a/.gitea/workflows/lint.yml
+++ b/.gitea/workflows/lint.yml
@@ -37,8 +37,10 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      - name: Install ruff
-        run: python3 -m pip install ruff
+      - name: Install pip and ruff
+        run: |
+          apt-get update -qq && apt-get install -y -qq python3-pip
+          python3 -m pip install ruff
 
       - name: Check syntax errors
         run: python3 -m ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github
@@ -52,8 +54,27 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      - name: Install pip-audit
-        run: python3 -m pip install pip-audit
+      - name: Install pip and pip-audit
+        run: |
+          apt-get update -qq && apt-get install -y -qq python3-pip
+          python3 -m pip install pip-audit
 
       - name: Audit matrixbot dependencies
         run: python3 -m pip_audit -r matrixbot/requirements.txt
+
+  secret-scan:
+    name: Secret scan (gitleaks)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Install gitleaks
+        run: |
+          curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
+            | tar -xz gitleaks
+          mv gitleaks /usr/local/bin/gitleaks
+
+      - name: Scan for secrets
+        run: gitleaks detect --source . --config .gitleaks.toml --redact --exit-code 1
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..f9e9707
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,6 @@
+[extend]
+useDefault = true
+
+[[allowlists]]
+description = "Webhook HMAC secrets in hook config files are intentional"
+paths = ['''deploy/hooks-lxc\d+\.json''']