From 78d1645f0897fff743230755c2e7f990fd2b711b Mon Sep 17 00:00:00 2001 From: Jared Vititoe Date: Mon, 20 Apr 2026 16:36:59 -0400 Subject: [PATCH] Fix all CI jobs: ruff binary, pip-audit venv, gitleaks baseline - ruff: download standalone binary instead of using python3 -m ruff (runner image lacks the PATH entry for pip-installed bin scripts) - pip-audit: add python3-venv to apt install (pip-audit creates a venv internally to resolve deps; ensurepip was missing) - gitleaks: switch from stopwords allowlist to --baseline-path approach. Stopwords don't suppress findings from git history scans. The baseline records the 4 known-intentional webhook HMAC secrets; CI now only fails on findings NOT in the baseline (i.e. newly introduced secrets) Co-Authored-By: Claude Sonnet 4.6 --- .gitea/workflows/lint.yml | 19 +++++---- .gitleaks-baseline.json | 82 +++++++++++++++++++++++++++++++++++++++ .gitleaks.toml | 9 ++++- 3 files changed, 100 insertions(+), 10 deletions(-) create mode 100644 .gitleaks-baseline.json diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml index 5d7b69e..8c2f970 100644 --- a/.gitea/workflows/lint.yml +++ b/.gitea/workflows/lint.yml @@ -37,16 +37,17 @@ jobs: steps: - uses: actions/checkout@v3 - - name: Install pip and ruff + - name: Install ruff run: | - apt-get update -qq && apt-get install -y -qq python3-pip - python3 -m pip install ruff + curl -sSL https://github.com/astral-sh/ruff/releases/download/0.8.6/ruff-x86_64-unknown-linux-gnu.tar.gz \ + | tar -xz ruff + mv ruff /usr/local/bin/ruff - name: Check syntax errors - run: python3 -m ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github + run: ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github - name: Run full lint - run: python3 -m ruff check matrixbot/ --output-format=github + run: ruff check matrixbot/ --output-format=github python-audit: name: Python deps (pip-audit) @@ -54,9 +55,9 @@ jobs: steps: - uses: actions/checkout@v3 - - name: Install pip and pip-audit + - name: Install pip-audit run: | - apt-get update -qq && apt-get install -y -qq python3-pip + apt-get update -qq && apt-get install -y -qq python3-pip python3-venv python3 -m pip install pip-audit - name: Audit matrixbot dependencies @@ -77,4 +78,6 @@ jobs: mv gitleaks /usr/local/bin/gitleaks - name: Scan for secrets - run: gitleaks detect --source . --config .gitleaks.toml --redact --exit-code 1 + run: | + gitleaks detect --source . --redact --exit-code 1 \ + --baseline-path .gitleaks-baseline.json diff --git a/.gitleaks-baseline.json b/.gitleaks-baseline.json new file mode 100644 index 0000000..74efacf --- /dev/null +++ b/.gitleaks-baseline.json @@ -0,0 +1,82 @@ +[ + { + "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", + "StartLine": 10, + "EndLine": 10, + "StartColumn": 11, + "EndColumn": 85, + "Match": "secret\": \"76dd5febd1cc3458545ce37537f4bfe26f241a9635b57a2cba183ebc9221230b\"", + "Secret": "76dd5febd1cc3458545ce37537f4bfe26f241a9635b57a2cba183ebc9221230b", + "File": "deploy/hooks-lxc106.json", + "SymlinkFile": "", + "Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026", + "Entropy": 3.8741388, + "Author": "Jared Vititoe", + "Email": "jjvititoe1@gmail.com", + "Date": "2026-03-18T15:41:32Z", + "Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc106.json:generic-api-key:10" + }, + { + "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", + "StartLine": 10, + "EndLine": 10, + "StartColumn": 11, + "EndColumn": 85, + "Match": "secret\": \"ddea576ef03bff35f0c9d138b626b273d9e9502434e0717899a87677cd5ac267\"", + "Secret": "ddea576ef03bff35f0c9d138b626b273d9e9502434e0717899a87677cd5ac267", + "File": "deploy/hooks-lxc139.json", + "SymlinkFile": "", + "Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026", + "Entropy": 3.914717, + "Author": "Jared Vititoe", + "Email": "jjvititoe1@gmail.com", + "Date": "2026-03-18T15:41:32Z", + "Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc139.json:generic-api-key:10" + }, + { + "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", + "StartLine": 10, + "EndLine": 10, + "StartColumn": 11, + "EndColumn": 85, + "Match": "secret\": \"0d23fab8743e9ee6b52cbd05a889b04c927ffa2b2b21fe50244f1a534d1a22d0\"", + "Secret": "0d23fab8743e9ee6b52cbd05a889b04c927ffa2b2b21fe50244f1a534d1a22d0", + "File": "deploy/hooks-lxc110.json", + "SymlinkFile": "", + "Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026", + "Entropy": 3.8516061, + "Author": "Jared Vititoe", + "Email": "jjvititoe1@gmail.com", + "Date": "2026-03-18T15:41:32Z", + "Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc110.json:generic-api-key:10" + }, + { + "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", + "StartLine": 10, + "EndLine": 10, + "StartColumn": 11, + "EndColumn": 85, + "Match": "secret\": \"38ba0e66763da2096c47645cbf636ce3c2c51232e006b964e57d6bb94a32dcaa\"", + "Secret": "38ba0e66763da2096c47645cbf636ce3c2c51232e006b964e57d6bb94a32dcaa", + "File": "deploy/hooks-lxc151.json", + "SymlinkFile": "", + "Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026", + "Entropy": 3.779886, + "Author": "Jared Vititoe", + "Email": "jjvititoe1@gmail.com", + "Date": "2026-03-18T15:41:32Z", + "Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc151.json:generic-api-key:10" + } +] diff --git a/.gitleaks.toml b/.gitleaks.toml index f9e9707..5478f53 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -2,5 +2,10 @@ useDefault = true [[allowlists]] -description = "Webhook HMAC secrets in hook config files are intentional" -paths = ['''deploy/hooks-lxc\d+\.json'''] +description = "Gitea webhook HMAC secrets in deploy/hooks-lxc*.json are intentional configuration" +stopwords = [ + "76dd5febd1cc3458545ce37537f4bfe26f241a9635b57a2cba183ebc9221230b", + "ddea576ef03bff35f0c9d138b626b273d9e9502434e0717899a87677cd5ac267", + "0d23fab8743e9ee6b52cbd05a889b04c927ffa2b2b21fe50244f1a534d1a22d0", + "38ba0e66763da2096c47645cbf636ce3c2c51232e006b964e57d6bb94a32dcaa", +]