- ruff: add --strip-components=1 to tar extract; the tarball puts the
binary inside ruff-x86_64-unknown-linux-gnu/ not at the root
- gitleaks: path-based allowlists are broken in v8.21.2 --no-git mode
(tested down to bare substrings — still fires). Switched to scanning
only application code directories (matrixbot/, hookshot/, .gitea/,
systemd/, cinny/, landing/) which excludes deploy/ where the
intentional Gitea webhook HMAC secrets live. Also removed the
.gitleaks-baseline.json from the repo (it was flagging itself).
The .gitleaks.toml is kept for any future per-rule overrides.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- ruff: download standalone binary instead of using python3 -m ruff
(runner image lacks the PATH entry for pip-installed bin scripts)
- pip-audit: add python3-venv to apt install (pip-audit creates a venv
internally to resolve deps; ensurepip was missing)
- gitleaks: switch from stopwords allowlist to --baseline-path approach.
Stopwords don't suppress findings from git history scans. The baseline
records the 4 known-intentional webhook HMAC secrets; CI now only
fails on findings NOT in the baseline (i.e. newly introduced secrets)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- All Python jobs now install python3-pip via apt first (runner image
has no pip by default)
- Added secret-scan job: gitleaks v8.21.2 scans full git history on
every push/PR with --redact to avoid leaking found secrets in logs
- Added .gitleaks.toml allowlisting deploy/hooks-lxc*.json files
(webhook HMAC secrets are intentional config, not leaks)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
jared