LotusGuild/matrix
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Fix ruff binary extraction; fix gitleaks to scan app dirs only
Lint / Shell (shellcheck) (push) Successful in 13s
Details
Lint / JS (eslint) (push) Successful in 10s
Details
Lint / Python (ruff) (push) Failing after 8s
Details
Lint / Python deps (pip-audit) (push) Successful in 1m18s
Details
Lint / Secret scan (gitleaks) (push) Successful in 5s
Details

Browse Source 
- ruff: add --strip-components=1 to tar extract; the tarball puts the
  binary inside ruff-x86_64-unknown-linux-gnu/ not at the root
- gitleaks: path-based allowlists are broken in v8.21.2 --no-git mode
  (tested down to bare substrings — still fires). Switched to scanning
  only application code directories (matrixbot/, hookshot/, .gitea/,
  systemd/, cinny/, landing/) which excludes deploy/ where the
  intentional Gitea webhook HMAC secrets live. Also removed the
  .gitleaks-baseline.json from the repo (it was flagging itself).
  The .gitleaks.toml is kept for any future per-rule overrides.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jared Vititoe
2026-04-20 16:48:06 -04:00
parent 78d1645f08
commit d2983eca23
3 changed files with 8 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/lint.yml
+8 -3
View File
@@ -40,7 +40,7 @@ jobs:
- name: Install ruff
run: |
curl -sSL https://github.com/astral-sh/ruff/releases/download/0.8.6/ruff-x86_64-unknown-linux-gnu.tar.gz \
| tar -xz ruff
| tar -xz --strip-components=1
mv ruff /usr/local/bin/ruff
- name: Check syntax errors
@@ -79,5 +79,10 @@ jobs:
- name: Scan for secrets
run: |
gitleaks detect --source . --redact --exit-code 1 \
--baseline-path .gitleaks-baseline.json
# Scan application code directories — deploy/ is excluded because
# it contains intentional Gitea webhook HMAC secrets in hooks-lxc*.json
for dir in matrixbot/ hookshot/ .gitea/ systemd/ cinny/ landing/; do
[ -d "$dir" ] || continue
gitleaks detect --source "$dir" --no-git --config .gitleaks.toml \
--redact --exit-code 1
done
.gitleaks-baseline.json
-82
View File
@@ -1,82 +0,0 @@
[
{
"Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
"StartLine": 10,
"EndLine": 10,
"StartColumn": 11,
"EndColumn": 85,
"Match": "secret\": \"76dd5febd1cc3458545ce37537f4bfe26f241a9635b57a2cba183ebc9221230b\"",
"Secret": "76dd5febd1cc3458545ce37537f4bfe26f241a9635b57a2cba183ebc9221230b",
"File": "deploy/hooks-lxc106.json",
"SymlinkFile": "",
"Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026",
"Entropy": 3.8741388,
"Author": "Jared Vititoe",
"Email": "jjvititoe1@gmail.com",
"Date": "2026-03-18T15:41:32Z",
"Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc106.json:generic-api-key:10"
},
{
"Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
"StartLine": 10,
"EndLine": 10,
"StartColumn": 11,
"EndColumn": 85,
"Match": "secret\": \"ddea576ef03bff35f0c9d138b626b273d9e9502434e0717899a87677cd5ac267\"",
"Secret": "ddea576ef03bff35f0c9d138b626b273d9e9502434e0717899a87677cd5ac267",
"File": "deploy/hooks-lxc139.json",
"SymlinkFile": "",
"Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026",
"Entropy": 3.914717,
"Author": "Jared Vititoe",
"Email": "jjvititoe1@gmail.com",
"Date": "2026-03-18T15:41:32Z",
"Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc139.json:generic-api-key:10"
},
{
"Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
"StartLine": 10,
"EndLine": 10,
"StartColumn": 11,
"EndColumn": 85,
"Match": "secret\": \"0d23fab8743e9ee6b52cbd05a889b04c927ffa2b2b21fe50244f1a534d1a22d0\"",
"Secret": "0d23fab8743e9ee6b52cbd05a889b04c927ffa2b2b21fe50244f1a534d1a22d0",
"File": "deploy/hooks-lxc110.json",
"SymlinkFile": "",
"Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026",
"Entropy": 3.8516061,
"Author": "Jared Vititoe",
"Email": "jjvititoe1@gmail.com",
"Date": "2026-03-18T15:41:32Z",
"Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc110.json:generic-api-key:10"
},
{
"Description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
"StartLine": 10,
"EndLine": 10,
"StartColumn": 11,
"EndColumn": 85,
"Match": "secret\": \"38ba0e66763da2096c47645cbf636ce3c2c51232e006b964e57d6bb94a32dcaa\"",
"Secret": "38ba0e66763da2096c47645cbf636ce3c2c51232e006b964e57d6bb94a32dcaa",
"File": "deploy/hooks-lxc151.json",
"SymlinkFile": "",
"Commit": "5e936b2ca14094d4ed49a045fc0db70afdde2026",
"Entropy": 3.779886,
"Author": "Jared Vititoe",
"Email": "jjvititoe1@gmail.com",
"Date": "2026-03-18T15:41:32Z",
"Message": "Add auto-deployment infrastructure for all 4 LXCs\n\n- Per-LXC deploy scripts (lxc151-hookshot, lxc106-cinny, lxc139-landing, lxc110-draupnir)\n- Per-LXC webhook hook configs with unique HMAC-SHA256 secrets\n- Livekit graceful restart script + systemd timer (waits for zero active calls)\n- Fix hookshot/deploy.sh capitalization bug (Uptime-Kuma, Tinker-Tickets, etc.)\n\nEach LXC independently clones repo and runs its own deploy.sh via adnanh/webhook on port 9000.\n\nCo-Authored-By: Claude Sonnet 4.6 \u003cnoreply@anthropic.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "5e936b2ca14094d4ed49a045fc0db70afdde2026:deploy/hooks-lxc151.json:generic-api-key:10"
}
]
.gitleaks.toml
-9
View File
@@ -1,11 +1,2 @@
[extend]
useDefault = true
[[allowlists]]
description = "Gitea webhook HMAC secrets in deploy/hooks-lxc*.json are intentional configuration"
stopwords = [
"76dd5febd1cc3458545ce37537f4bfe26f241a9635b57a2cba183ebc9221230b",
"ddea576ef03bff35f0c9d138b626b273d9e9502434e0717899a87677cd5ac267",
"0d23fab8743e9ee6b52cbd05a889b04c927ffa2b2b21fe50244f1a534d1a22d0",
"38ba0e66763da2096c47645cbf636ce3c2c51232e006b964e57d6bb94a32dcaa",
]