LotusGuild/matrix
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Python runner; add gitleaks secret scanning
Lint / Shell (shellcheck) (push) Successful in 9s
Details
Lint / JS (eslint) (push) Successful in 7s
Details
Lint / Python (ruff) (push) Failing after 42s
Details
Lint / Python deps (pip-audit) (push) Failing after 47s
Details
Lint / Secret scan (gitleaks) (push) Failing after 9s
Details

Browse Source 
- All Python jobs now install python3-pip via apt first (runner image
  has no pip by default)
- Added secret-scan job: gitleaks v8.21.2 scans full git history on
  every push/PR with --redact to avoid leaking found secrets in logs
- Added .gitleaks.toml allowlisting deploy/hooks-lxc*.json files
  (webhook HMAC secrets are intentional config, not leaks)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jared Vititoe
2026-04-20 16:29:14 -04:00
parent d49b33fc42
commit 371ed8116f
2 changed files with 31 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/lint.yml
+25 -4
View File
@@ -37,8 +37,10 @@ jobs:
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: Install ruff - name: Install pip and ruff
run: python3 -m pip install ruff run: |
apt-get update -qq && apt-get install -y -qq python3-pip
python3 -m pip install ruff
- name: Check syntax errors - name: Check syntax errors
run: python3 -m ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github run: python3 -m ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github
@@ -52,8 +54,27 @@ jobs:
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: Install pip-audit - name: Install pip and pip-audit
run: python3 -m pip install pip-audit run: |
apt-get update -qq && apt-get install -y -qq python3-pip
python3 -m pip install pip-audit
- name: Audit matrixbot dependencies - name: Audit matrixbot dependencies
run: python3 -m pip_audit -r matrixbot/requirements.txt run: python3 -m pip_audit -r matrixbot/requirements.txt
secret-scan:
name: Secret scan (gitleaks)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install gitleaks
run: |
curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
| tar -xz gitleaks
mv gitleaks /usr/local/bin/gitleaks
- name: Scan for secrets
run: gitleaks detect --source . --config .gitleaks.toml --redact --exit-code 1
.gitleaks.toml
+6
View File
@@ -0,0 +1,6 @@
[extend]
useDefault = true
[[allowlists]]
description = "Webhook HMAC secrets in hook config files are intentional"
paths = ['''deploy/hooks-lxc\d+\.json''']