Fix all CI jobs: ruff binary, pip-audit venv, gitleaks baseline

- ruff: download standalone binary instead of using python3 -m ruff (runner image lacks the PATH entry for pip-installed bin scripts) - pip-audit: add python3-venv to apt install (pip-audit creates a venv internally to resolve deps; ensurepip was missing) - gitleaks: switch from stopwords allowlist to --baseline-path approach. Stopwords don't suppress findings from git history scans. The baseline records the 4 known-intentional webhook HMAC secrets; CI now only fails on findings NOT in the baseline (i.e. newly introduced secrets) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-20 16:36:59 -04:00
parent 371ed8116f
commit 78d1645f08
3 changed files with 100 additions and 10 deletions
@@ -37,16 +37,17 @@ jobs:
    steps:
      - uses: actions/checkout@v3

-      - name: Install pip and ruff
+      - name: Install ruff
        run: |
-          apt-get update -qq && apt-get install -y -qq python3-pip
-          python3 -m pip install ruff
+          curl -sSL https://github.com/astral-sh/ruff/releases/download/0.8.6/ruff-x86_64-unknown-linux-gnu.tar.gz \
+            | tar -xz ruff
+          mv ruff /usr/local/bin/ruff

      - name: Check syntax errors
-        run: python3 -m ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github
+        run: ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github

      - name: Run full lint
-        run: python3 -m ruff check matrixbot/ --output-format=github
+        run: ruff check matrixbot/ --output-format=github

  python-audit:
    name: Python deps (pip-audit)
@@ -54,9 +55,9 @@ jobs:
    steps:
      - uses: actions/checkout@v3

-      - name: Install pip and pip-audit
+      - name: Install pip-audit
        run: |
-          apt-get update -qq && apt-get install -y -qq python3-pip
+          apt-get update -qq && apt-get install -y -qq python3-pip python3-venv
          python3 -m pip install pip-audit

      - name: Audit matrixbot dependencies
@@ -77,4 +78,6 @@ jobs:
          mv gitleaks /usr/local/bin/gitleaks

      - name: Scan for secrets
-        run: gitleaks detect --source . --config .gitleaks.toml --redact --exit-code 1
+        run: |
+          gitleaks detect --source . --redact --exit-code 1 \
+            --baseline-path .gitleaks-baseline.json
@@ -0,0 +1,82 @@
+[
+ {
+  "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
+  "StartLine": 10,
+  "EndLine": 10,
+  "StartColumn": 11,
+  "EndColumn": 85,
+  "Match": "secret\": \"76dd5febd1cc3458545ce37537f4bfe26f241a9635b57a2cba183ebc9221230b\"",
+  "Secret": "76dd5febd1cc3458545ce37537f4bfe26f241a9635b57a2cba183ebc9221230b",
+  "File": "deploy/hooks-lxc106.json",
+  "SymlinkFile": "",
+  "Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026",
+  "Entropy": 3.8741388,
+  "Author": "Jared Vititoe",
+  "Email": "jjvititoe1@gmail.com",
+  "Date": "2026-03-18T15:41:32Z",
+  "Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [],
+  "RuleID": "generic-api-key",
+  "Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc106.json:generic-api-key:10"
+ },
+ {
+  "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
+  "StartLine": 10,
+  "EndLine": 10,
+  "StartColumn": 11,
+  "EndColumn": 85,
+  "Match": "secret\": \"ddea576ef03bff35f0c9d138b626b273d9e9502434e0717899a87677cd5ac267\"",
+  "Secret": "ddea576ef03bff35f0c9d138b626b273d9e9502434e0717899a87677cd5ac267",
+  "File": "deploy/hooks-lxc139.json",
+  "SymlinkFile": "",
+  "Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026",
+  "Entropy": 3.914717,
+  "Author": "Jared Vititoe",
+  "Email": "jjvititoe1@gmail.com",
+  "Date": "2026-03-18T15:41:32Z",
+  "Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [],
+  "RuleID": "generic-api-key",
+  "Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc139.json:generic-api-key:10"
+ },
+ {
+  "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
+  "StartLine": 10,
+  "EndLine": 10,
+  "StartColumn": 11,
+  "EndColumn": 85,
+  "Match": "secret\": \"0d23fab8743e9ee6b52cbd05a889b04c927ffa2b2b21fe50244f1a534d1a22d0\"",
+  "Secret": "0d23fab8743e9ee6b52cbd05a889b04c927ffa2b2b21fe50244f1a534d1a22d0",
+  "File": "deploy/hooks-lxc110.json",
+  "SymlinkFile": "",
+  "Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026",
+  "Entropy": 3.8516061,
+  "Author": "Jared Vititoe",
+  "Email": "jjvititoe1@gmail.com",
+  "Date": "2026-03-18T15:41:32Z",
+  "Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [],
+  "RuleID": "generic-api-key",
+  "Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc110.json:generic-api-key:10"
+ },
+ {
+  "Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
+  "StartLine": 10,
+  "EndLine": 10,
+  "StartColumn": 11,
+  "EndColumn": 85,
+  "Match": "secret\": \"38ba0e66763da2096c47645cbf636ce3c2c51232e006b964e57d6bb94a32dcaa\"",
+  "Secret": "38ba0e66763da2096c47645cbf636ce3c2c51232e006b964e57d6bb94a32dcaa",
+  "File": "deploy/hooks-lxc151.json",
+  "SymlinkFile": "",
+  "Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026",
+  "Entropy": 3.779886,
+  "Author": "Jared Vititoe",
+  "Email": "jjvititoe1@gmail.com",
+  "Date": "2026-03-18T15:41:32Z",
+  "Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e",
+  "Tags": [],
+  "RuleID": "generic-api-key",
+  "Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc151.json:generic-api-key:10"
+ }
+]
@@ -2,5 +2,10 @@
 useDefault = true

 [[allowlists]]
-description = "Webhook HMAC secrets in hook config files are intentional"
-paths = ['''deploy/hooks-lxc\d+\.json''']
+description = "Gitea webhook HMAC secrets in deploy/hooks-lxc*.json are intentional configuration"
+stopwords = [
+    "76dd5febd1cc3458545ce37537f4bfe26f241a9635b57a2cba183ebc9221230b",
+    "ddea576ef03bff35f0c9d138b626b273d9e9502434e0717899a87677cd5ac267",
+    "0d23fab8743e9ee6b52cbd05a889b04c927ffa2b2b21fe50244f1a534d1a22d0",
+    "38ba0e66763da2096c47645cbf636ce3c2c51232e006b964e57d6bb94a32dcaa",
+]