LotusGuild/matrix
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Fix all CI jobs: ruff binary, pip-audit venv, gitleaks baseline
Lint / Shell (shellcheck) (push) Successful in 9s
Details
Lint / JS (eslint) (push) Successful in 6s
Details
Lint / Python (ruff) (push) Failing after 4s
Details
Lint / Python deps (pip-audit) (push) Successful in 1m5s
Details
Lint / Secret scan (gitleaks) (push) Failing after 5s
Details

Browse Source 
- ruff: download standalone binary instead of using python3 -m ruff
  (runner image lacks the PATH entry for pip-installed bin scripts)
- pip-audit: add python3-venv to apt install (pip-audit creates a venv
  internally to resolve deps; ensurepip was missing)
- gitleaks: switch from stopwords allowlist to --baseline-path approach.
  Stopwords don't suppress findings from git history scans. The baseline
  records the 4 known-intentional webhook HMAC secrets; CI now only
  fails on findings NOT in the baseline (i.e. newly introduced secrets)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jared Vititoe
2026-04-20 16:36:59 -04:00
parent 371ed8116f
commit 78d1645f08
3 changed files with 100 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/lint.yml
+11 -8
View File
@@ -37,16 +37,17 @@ jobs:
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: Install pip and ruff - name: Install ruff
run: | run: |
apt-get update -qq && apt-get install -y -qq python3-pip curl -sSL https://github.com/astral-sh/ruff/releases/download/0.8.6/ruff-x86_64-unknown-linux-gnu.tar.gz \
python3 -m pip install ruff | tar -xz ruff
mv ruff /usr/local/bin/ruff
- name: Check syntax errors - name: Check syntax errors
run: python3 -m ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github run: ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github
- name: Run full lint - name: Run full lint
run: python3 -m ruff check matrixbot/ --output-format=github run: ruff check matrixbot/ --output-format=github
python-audit: python-audit:
name: Python deps (pip-audit) name: Python deps (pip-audit)
@@ -54,9 +55,9 @@ jobs:
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: Install pip and pip-audit - name: Install pip-audit
run: | run: |
apt-get update -qq && apt-get install -y -qq python3-pip apt-get update -qq && apt-get install -y -qq python3-pip python3-venv
python3 -m pip install pip-audit python3 -m pip install pip-audit
- name: Audit matrixbot dependencies - name: Audit matrixbot dependencies
@@ -77,4 +78,6 @@ jobs:
mv gitleaks /usr/local/bin/gitleaks mv gitleaks /usr/local/bin/gitleaks
- name: Scan for secrets - name: Scan for secrets
run: gitleaks detect --source . --config .gitleaks.toml --redact --exit-code 1 run: |
gitleaks detect --source . --redact --exit-code 1 \
--baseline-path .gitleaks-baseline.json
.gitleaks-baseline.json
+82
View File
@@ -0,0 +1,82 @@
[
{
"Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
"StartLine": 10,
"EndLine": 10,
"StartColumn": 11,
"EndColumn": 85,
"Match": "secret\": \"76dd5febd1cc3458545ce37537f4bfe26f241a9635b57a2cba183ebc9221230b\"",
"Secret": "76dd5febd1cc3458545ce37537f4bfe26f241a9635b57a2cba183ebc9221230b",
"File": "deploy/hooks-lxc106.json",
"SymlinkFile": "",
"Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026",
"Entropy": 3.8741388,
"Author": "Jared Vititoe",
"Email": "jjvititoe1@gmail.com",
"Date": "2026-03-18T15:41:32Z",
"Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc106.json:generic-api-key:10"
},
{
"Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
"StartLine": 10,
"EndLine": 10,
"StartColumn": 11,
"EndColumn": 85,
"Match": "secret\": \"ddea576ef03bff35f0c9d138b626b273d9e9502434e0717899a87677cd5ac267\"",
"Secret": "ddea576ef03bff35f0c9d138b626b273d9e9502434e0717899a87677cd5ac267",
"File": "deploy/hooks-lxc139.json",
"SymlinkFile": "",
"Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026",
"Entropy": 3.914717,
"Author": "Jared Vititoe",
"Email": "jjvititoe1@gmail.com",
"Date": "2026-03-18T15:41:32Z",
"Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc139.json:generic-api-key:10"
},
{
"Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
"StartLine": 10,
"EndLine": 10,
"StartColumn": 11,
"EndColumn": 85,
"Match": "secret\": \"0d23fab8743e9ee6b52cbd05a889b04c927ffa2b2b21fe50244f1a534d1a22d0\"",
"Secret": "0d23fab8743e9ee6b52cbd05a889b04c927ffa2b2b21fe50244f1a534d1a22d0",
"File": "deploy/hooks-lxc110.json",
"SymlinkFile": "",
"Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026",
"Entropy": 3.8516061,
"Author": "Jared Vititoe",
"Email": "jjvititoe1@gmail.com",
"Date": "2026-03-18T15:41:32Z",
"Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc110.json:generic-api-key:10"
},
{
"Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
"StartLine": 10,
"EndLine": 10,
"StartColumn": 11,
"EndColumn": 85,
"Match": "secret\": \"38ba0e66763da2096c47645cbf636ce3c2c51232e006b964e57d6bb94a32dcaa\"",
"Secret": "38ba0e66763da2096c47645cbf636ce3c2c51232e006b964e57d6bb94a32dcaa",
"File": "deploy/hooks-lxc151.json",
"SymlinkFile": "",
"Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026",
"Entropy": 3.779886,
"Author": "Jared Vititoe",
"Email": "jjvititoe1@gmail.com",
"Date": "2026-03-18T15:41:32Z",
"Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc151.json:generic-api-key:10"
}
]
.gitleaks.toml
+7 -2
View File
@@ -2,5 +2,10 @@
useDefault = true useDefault = true
[[allowlists]] [[allowlists]]
description = "Webhook HMAC secrets in hook config files are intentional" description = "Gitea webhook HMAC secrets in deploy/hooks-lxc*.json are intentional configuration"
paths = ['''deploy/hooks-lxc\d+\.json'''] stopwords = [
"76dd5febd1cc3458545ce37537f4bfe26f241a9635b57a2cba183ebc9221230b",
"ddea576ef03bff35f0c9d138b626b273d9e9502434e0717899a87677cd5ac267",
"0d23fab8743e9ee6b52cbd05a889b04c927ffa2b2b21fe50244f1a534d1a22d0",
"38ba0e66763da2096c47645cbf636ce3c2c51232e006b964e57d6bb94a32dcaa",
]