This repository was archived by the owner on May 10, 2026. It is now read-only.
ci: add gitleaks secret-scan workflow#2
Merged
Merged
Conversation
Adds canonical Gitleaks secret-scan CI matching the de-facto Yesterday-AI standard (template byte-identical with agentic-foundation, agent-services, cloud, openclaw). Triggers on PR + push to main; scans only the diff (PR commit range or push before..sha), not full history. No per-repo customization on first pass; add .gitleaksignore later if false positives appear.
Per YyRemy review on llm-gateway#56: github.event.before is the 40-zero null SHA (0000000000000000000000000000000000000000) on the first push to a new branch. Running 'git log 0000...SHA' fails, producing a noisy CI error rather than a clean scan. Fix: branch the push case on whether before is the null SHA. When it is, scan the full tree (--source . --verbose, no --log-opts). When it isn't, use the before..sha range as before. Applied to all 7 of my secret-scan PRs in lockstep so the template stays uniform across the plugin family.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds canonical Gitleaks secret-scan CI per consistency-audit follow-up. Template copied byte-identical from agentic-foundation/.github/workflows/secret-scan.yml (de-facto standard across 6 sibling Yesterday-AI repos: agent-services, cloud, openclaw, paperclip-deploy-railway + inlined in agent-calendar/clawrag).
Workflow: Gitleaks (curl-install latest), runs on PR + push to main/master, scans only the PR commit range / push diff (not full history). Permissions read-only, 10min timeout, no GH Marketplace action dep.
No per-repo customization on first pass. Add .gitleaksignore later if false positives appear.