jared
d2983eca23
- ruff: add --strip-components=1 to tar extract; the tarball puts the binary inside ruff-x86_64-unknown-linux-gnu/ not at the root - gitleaks: path-based allowlists are broken in v8.21.2 --no-git mode (tested down to bare substrings — still fires). Switched to scanning only application code directories (matrixbot/, hookshot/, .gitea/, systemd/, cinny/, landing/) which excludes deploy/ where the intentional Gitea webhook HMAC secrets live. Also removed the .gitleaks-baseline.json from the repo (it was flagging itself). The .gitleaks.toml is kept for any future per-rule overrides. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>