matrix

LotusGuild/matrix

Fork 0

Commit Graph

Author	SHA1	Message	Date
jared	78d1645f08	Fix all CI jobs: ruff binary, pip-audit venv, gitleaks baseline Lint / Shell (shellcheck) (push) Successful in 9s Details Lint / JS (eslint) (push) Successful in 6s Details Lint / Python (ruff) (push) Failing after 4s Details Lint / Python deps (pip-audit) (push) Successful in 1m5s Details Lint / Secret scan (gitleaks) (push) Failing after 5s Details - ruff: download standalone binary instead of using python3 -m ruff (runner image lacks the PATH entry for pip-installed bin scripts) - pip-audit: add python3-venv to apt install (pip-audit creates a venv internally to resolve deps; ensurepip was missing) - gitleaks: switch from stopwords allowlist to --baseline-path approach. Stopwords don't suppress findings from git history scans. The baseline records the 4 known-intentional webhook HMAC secrets; CI now only fails on findings NOT in the baseline (i.e. newly introduced secrets) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-20 16:36:59 -04:00
jared	371ed8116f	Fix Python runner; add gitleaks secret scanning Lint / Shell (shellcheck) (push) Successful in 9s Details Lint / JS (eslint) (push) Successful in 7s Details Lint / Python (ruff) (push) Failing after 42s Details Lint / Python deps (pip-audit) (push) Failing after 47s Details Lint / Secret scan (gitleaks) (push) Failing after 9s Details - All Python jobs now install python3-pip via apt first (runner image has no pip by default) - Added secret-scan job: gitleaks v8.21.2 scans full git history on every push/PR with --redact to avoid leaking found secrets in logs - Added .gitleaks.toml allowlisting deploy/hooks-lxc*.json files (webhook HMAC secrets are intentional config, not leaks) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-20 16:29:14 -04:00

Author

SHA1

Message

Date

jared

78d1645f08

Fix all CI jobs: ruff binary, pip-audit venv, gitleaks baseline

Lint / Shell (shellcheck) (push) Successful in 9s

Details

Lint / JS (eslint) (push) Successful in 6s

Details

Lint / Python (ruff) (push) Failing after 4s

Details

Lint / Python deps (pip-audit) (push) Successful in 1m5s

Details

Lint / Secret scan (gitleaks) (push) Failing after 5s

Details

- ruff: download standalone binary instead of using python3 -m ruff
  (runner image lacks the PATH entry for pip-installed bin scripts)
- pip-audit: add python3-venv to apt install (pip-audit creates a venv
  internally to resolve deps; ensurepip was missing)
- gitleaks: switch from stopwords allowlist to --baseline-path approach.
  Stopwords don't suppress findings from git history scans. The baseline
  records the 4 known-intentional webhook HMAC secrets; CI now only
  fails on findings NOT in the baseline (i.e. newly introduced secrets)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-20 16:36:59 -04:00

jared

371ed8116f

Fix Python runner; add gitleaks secret scanning

Lint / Shell (shellcheck) (push) Successful in 9s

Details

Lint / JS (eslint) (push) Successful in 7s

Details

Lint / Python (ruff) (push) Failing after 42s

Details

Lint / Python deps (pip-audit) (push) Failing after 47s

Details

Lint / Secret scan (gitleaks) (push) Failing after 9s

Details

- All Python jobs now install python3-pip via apt first (runner image
  has no pip by default)
- Added secret-scan job: gitleaks v8.21.2 scans full git history on
  every push/PR with --redact to avoid leaking found secrets in logs
- Added .gitleaks.toml allowlisting deploy/hooks-lxc*.json files
  (webhook HMAC secrets are intentional config, not leaks)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-20 16:29:14 -04:00

2 Commits