LotusGuild/matrix
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Fix all CI jobs: ruff binary, pip-audit venv, gitleaks baseline
Lint / Shell (shellcheck) (push) Successful in 9s
Details
Lint / JS (eslint) (push) Successful in 6s
Details
Lint / Python (ruff) (push) Failing after 4s
Details
Lint / Python deps (pip-audit) (push) Successful in 1m5s
Details
Lint / Secret scan (gitleaks) (push) Failing after 5s
Details

Browse Source 
- ruff: download standalone binary instead of using python3 -m ruff
  (runner image lacks the PATH entry for pip-installed bin scripts)
- pip-audit: add python3-venv to apt install (pip-audit creates a venv
  internally to resolve deps; ensurepip was missing)
- gitleaks: switch from stopwords allowlist to --baseline-path approach.
  Stopwords don't suppress findings from git history scans. The baseline
  records the 4 known-intentional webhook HMAC secrets; CI now only
  fails on findings NOT in the baseline (i.e. newly introduced secrets)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jared Vititoe
2026-04-20 16:36:59 -04:00
parent 371ed8116f
commit 78d1645f08
3 changed files with 100 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/lint.yml
+11 -8
View File
@@ -37,16 +37,17 @@ jobs:
steps:
- uses: actions/checkout@v3
- name: Install pip and ruff
- name: Install ruff
run: |
apt-get update -qq && apt-get install -y -qq python3-pip
python3 -m pip install ruff
curl -sSL https://github.com/astral-sh/ruff/releases/download/0.8.6/ruff-x86_64-unknown-linux-gnu.tar.gz \
| tar -xz ruff
mv ruff /usr/local/bin/ruff
- name: Check syntax errors
run: python3 -m ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github
run: ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github
- name: Run full lint
run: python3 -m ruff check matrixbot/ --output-format=github
run: ruff check matrixbot/ --output-format=github
python-audit:
name: Python deps (pip-audit)
@@ -54,9 +55,9 @@ jobs:
steps:
- uses: actions/checkout@v3
- name: Install pip and pip-audit
- name: Install pip-audit
run: |
apt-get update -qq && apt-get install -y -qq python3-pip
apt-get update -qq && apt-get install -y -qq python3-pip python3-venv
python3 -m pip install pip-audit
- name: Audit matrixbot dependencies
@@ -77,4 +78,6 @@ jobs:
mv gitleaks /usr/local/bin/gitleaks
- name: Scan for secrets
run: gitleaks detect --source . --config .gitleaks.toml --redact --exit-code 1
run: |
gitleaks detect --source . --redact --exit-code 1 \
--baseline-path .gitleaks-baseline.json