1df99cd8002c1bdc5b461ca8e6898467185ee217
20 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
a463199728 |
feat(infra): reactivate act_runner cache by sharing the runners network (#82)
## Summary Closes the deferred-since-day-one cache-server gap (documented as "Cache server (deferred)" in `infra/README.md` and mentioned every time we hit a slow CI install). **Root cause.** `act_runner`'s built-in cache server binds inside the runner container and advertises an IP on the compose-defined `apf-portal-act-runners` bridge — but jobs are spawned via the mounted `/var/run/docker.sock`, which puts them on Docker's anonymous default `bridge`. The advertised URL is unreachable from the job, every cache request burns a ~2 min `ETIMEDOUT` (restore + save), the hit rate is zero. **Fix.** Tell `act_runner` to attach jobs to the same compose-defined bridge as the runners, via `container.network` in the shared `runner-config.yaml`. The advertised cache URL becomes a normal internal-network DNS hop, jobs reach the cache server, `cache: 'pnpm'` works end-to-end. **Blast-radius trade-off** (bounded). Every container on `apf-portal-act-runners` is one of our runner containers, plus the jobs they spawn — all of which already have full docker-socket access. Sharing a network doesn't widen what a malicious workflow can already do; it just lets jobs reach the cache server. ## What lands - `infra/runner-config.yaml` — add `container.network: apf-portal-act-runners`. Surface the `cache.enabled: true` default explicitly so the toggle is discoverable. - `.gitea/workflows/ci.yml` — re-enable `cache: 'pnpm'` on every `actions/setup-node` step (5 jobs). Drop the now-stale block comment that explained the disablement. - `.gitea/workflows/security-scheduled.yml` — same on the two setup-node steps. - `infra/README.md` "Cache server" section rewritten — was `"(deferred)"`, now describes the working setup, rationale, and the disable toggle. - `ci.yml`'s Trivy comment trimmed to drop the cross-reference to the deferred-cache-server section that no longer exists. ## Roll-out (manual, post-merge, on the runner host) ```bash cd <repo>/infra git pull ./ci-runners.sh rotate ``` `rotate` recreates the containers with the new `runner-config.yaml` mount intact (rolling restart, ~15 s pause between each runner so the CI pipeline stays online). ## Test plan - [ ] CI green on this PR (the gates run on the runners as configured **before** rollout, so this PR's run is one last "uncached" cycle). - [ ] After rollout, the next CI run's `Set up Node.js` step shows the cache restore attempt **succeed quickly** (no ETIMEDOUT). The `Run pnpm install --frozen-lockfile` step on the first post-rollout run still reports `Progress: resolved N, reused 0, downloaded N` (cold seed). - [ ] The **second** post-rollout run reports `reused N, downloaded 0` (or a small downloaded delta if Renovate moved a dep meanwhile) — the cache hit is real. - [ ] `Complete job` step at the end no longer shows `reserveCache failed: connect ETIMEDOUT` warnings. - [ ] Wall-clock for a typical PR's CI drops by ~5-10 min (5 jobs × ~30-90 s saved on `pnpm install` + the 2× ~2 min ETIMEDOUTs we used to eat). --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #82 |
||
|
|
674c8b2f88 |
chore(deps): update dependency gitleaks/gitleaks to v8.30.1 (#79)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [gitleaks/gitleaks](https://github.com/gitleaks/gitleaks) | minor | `8.21.0` -> `8.30.1` | --- ### Release Notes <details> <summary>gitleaks/gitleaks (gitleaks/gitleaks)</summary> ### [`v8.30.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.30.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.30.0...v8.30.1) ##### Changelog - [`83d9cd6`](https://github.com/gitleaks/gitleaks/commit/83d9cd684c87d95d656c1458ef04895a7f1cbd8e) update goreleaser - [`8d1f98c`](https://github.com/gitleaks/gitleaks/commit/8d1f98c7967eb1e79cb44ac6241a124e145d2165) Removed unnecessary functions from report template ([#​2040](https://github.com/gitleaks/gitleaks/issues/2040)) - [`ca20267`](https://github.com/gitleaks/gitleaks/commit/ca20267a84aa1fa2c2a9c1a13cdb50cafb48eeb0) its the simple things ([#​2020](https://github.com/gitleaks/gitleaks/issues/2020)) - [`b66ac75`](https://github.com/gitleaks/gitleaks/commit/b66ac75e4fa93d86d78fccd6e2f36d2c0698b2a2) build: switch to Go 1.24 ([#​2002](https://github.com/gitleaks/gitleaks/issues/2002)) ### [`v8.30.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.30.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.29.1...v8.30.0) ##### Changelog - [`6eaad03`](https://github.com/gitleaks/gitleaks/commit/6eaad03) 0 to 5 - notes on recursive decoding ([#​1994](https://github.com/gitleaks/gitleaks/issues/1994)) - [`09242ce`](https://github.com/gitleaks/gitleaks/commit/09242ce) Add new Looker client ID and client secret rules ([#​1947](https://github.com/gitleaks/gitleaks/issues/1947)) - [`c98e5e0`](https://github.com/gitleaks/gitleaks/commit/c98e5e0) feat: add Airtable Personnal Access Token detection ([#​1952](https://github.com/gitleaks/gitleaks/issues/1952)) - [`4ed0ca4`](https://github.com/gitleaks/gitleaks/commit/4ed0ca4) build: upgrade Go & alpine version ([#​1989](https://github.com/gitleaks/gitleaks/issues/1989)) ### [`v8.29.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.29.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.29.0...v8.29.1) ##### Changelog - [`fb5d707`](https://github.com/gitleaks/gitleaks/commit/fb5d707) thats a paddlin - [`50493db`](https://github.com/gitleaks/gitleaks/commit/50493db) feat: document stdout report path ([#​1990](https://github.com/gitleaks/gitleaks/issues/1990)) ### [`v8.29.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.29.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.28.0...v8.29.0) ##### Changelog - [`ed65b65`](https://github.com/gitleaks/gitleaks/commit/ed65b65) Add trace log for skipped archive file when not enabled ([#​1961](https://github.com/gitleaks/gitleaks/issues/1961)) - [`c5ccbb9`](https://github.com/gitleaks/gitleaks/commit/c5ccbb9) Respect contexts with timeouts ([#​1948](https://github.com/gitleaks/gitleaks/issues/1948)) - [`3821f30`](https://github.com/gitleaks/gitleaks/commit/3821f30) Config min version ([#​1955](https://github.com/gitleaks/gitleaks/issues/1955)) - [`d223718`](https://github.com/gitleaks/gitleaks/commit/d223718) fix(config): validate rules when \[extend] is used ([#​1592](https://github.com/gitleaks/gitleaks/issues/1592)) - [`87d9629`](https://github.com/gitleaks/gitleaks/commit/87d9629) feat: add Amazon Bedrock API key detection ([#​1935](https://github.com/gitleaks/gitleaks/issues/1935)) - [`228396b`](https://github.com/gitleaks/gitleaks/commit/228396b) Add GitHub Sponsors section and Discord link - [`a82bc53`](https://github.com/gitleaks/gitleaks/commit/a82bc53) feat: improve regex to detect Sonar tokens with prefixes ([#​1931](https://github.com/gitleaks/gitleaks/issues/1931)) ### [`v8.28.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.28.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.27.2...v8.28.0) ##### Changelog - [`4fb4382`](https://github.com/gitleaks/gitleaks/commit/4fb4382) cant count - [`b1c9c7e`](https://github.com/gitleaks/gitleaks/commit/b1c9c7e) Composite rules ([#​1905](https://github.com/gitleaks/gitleaks/issues/1905)) - [`72977e4`](https://github.com/gitleaks/gitleaks/commit/72977e4) feat: add Anthropic API key detection ([#​1910](https://github.com/gitleaks/gitleaks/issues/1910)) - [`7b02c98`](https://github.com/gitleaks/gitleaks/commit/7b02c98) fix(git): handle port ([#​1912](https://github.com/gitleaks/gitleaks/issues/1912)) - [`2a7bcff`](https://github.com/gitleaks/gitleaks/commit/2a7bcff) dont prematurely calculate fragment newlines ([#​1909](https://github.com/gitleaks/gitleaks/issues/1909)) - [`bd79c3e`](https://github.com/gitleaks/gitleaks/commit/bd79c3e) feat(allowlist): promote optimizations ([#​1908](https://github.com/gitleaks/gitleaks/issues/1908)) - [`7fb4eda`](https://github.com/gitleaks/gitleaks/commit/7fb4eda) Fix: CVEs on go and go crypto ([#​1868](https://github.com/gitleaks/gitleaks/issues/1868)) - [`a044b81`](https://github.com/gitleaks/gitleaks/commit/a044b81) feat: add artifactory reference token and api key detection ([#​1906](https://github.com/gitleaks/gitleaks/issues/1906)) - [`bf380d4`](https://github.com/gitleaks/gitleaks/commit/bf380d4) silly - [`f487f85`](https://github.com/gitleaks/gitleaks/commit/f487f85) Update gitleaks.yml - [`958f55a`](https://github.com/gitleaks/gitleaks/commit/958f55a) add just like that, no leaks ##### Optimizations [#​1909](https://github.com/gitleaks/gitleaks/issues/1909) waits to find newlines until a match. This ends up saving a boat load of time since before we were finding newlines for every fragment regardless if a rule matched or not. [#​1908](https://github.com/gitleaks/gitleaks/issues/1908) promoted [@​rgmz](https://github.com/rgmz) excellent stopword optimization ##### Composite Rules (Multi-part or `required` Rules) [#​1905](https://github.com/gitleaks/gitleaks/issues/1905) In v8.28.0 Gitleaks introduced composite rules, which are made up of a single "primary" rule and one or more auxiliary or `required` rules. To create a composite rule, add a `[[rules.required]]` table to the primary rule specifying an `id` and optionally `withinLines` and/or `withinColumns` proximity constraints. A fragment is a chunk of content that Gitleaks processes at once (typically a file, part of a file, or git diff), and proximity matching instructs the primary rule to only report a finding if the auxiliary `required` rules also find matches within the specified area of the fragment. **Proximity matching:** Using the `withinLines` and `withinColumns` fields instructs the primary rule to only report a finding if the auxiliary `required` rules also find matches within the specified proximity. You can set: - **`withinLines: N`** - required findings must be within N lines (vertically) - **`withinColumns: N`** - required findings must be within N characters (horizontally) - **Both** - creates a rectangular search area (both constraints must be satisfied) - **Neither** - fragment-level matching (required findings can be anywhere in the same fragment) Here are diagrams illustrating each proximity behavior: ``` p = primary captured secret a = auxiliary (required) captured secret fragment = section of data gitleaks is looking at *Fragment-level proximity* Any required finding in the fragment ┌────────┐ ┌──────┤fragment├─────┐ │ └──────┬─┤ │ ┌───────┐ │ │a│◀────┼─│✓ MATCH│ │ ┌─┐└─┘ │ └───────┘ │┌─┐ │p│ │ ││a│ ┌─┐└─┘ │ ┌───────┐ │└─┘ │a│◀──────────┼─│✓ MATCH│ └─▲─────┴─┴───────────┘ └───────┘ │ ┌───────┐ └────│✓ MATCH│ └───────┘ *Column bounded proximity* `withinColumns = 3` ┌────────┐ ┌────┬─┤fragment├─┬───┐ │ └──────┬─┤ │ ┌───────────┐ │ │ │a│◀┼───┼─│+1C ✓ MATCH│ │ ┌─┐└─┘ │ └───────────┘ │┌─┐ │ │p│ │ │ ┌──▶│a│ ┌─┐ └─┘ │ ┌───────────┐ │ │└─┘ ││a│◀────────┼───┼─│-2C ✓ MATCH│ │ │ ┘ │ └───────────┘ │ └── -3C ───0C─── +3C ─┘ │ ┌─────────┐ │ │ -4C ✗ NO│ └──│ MATCH │ └─────────┘ *Line bounded proximity* `withinLines = 4` ┌────────┐ ┌─────┤fragment├─────┐ +4L─ ─ ┴────────┘─ ─ ─│ │ │ │ ┌─┐ │ ┌────────────┐ │ ┌─┐ │a│◀──┼─│+1L ✓ MATCH │ 0L ┌─┐ │p│ └─┘ │ ├────────────┤ │ │a│◀──┴─┴────────┼─│-1L ✓ MATCH │ │ └─┘ │ └────────────┘ │ │ ┌─────────┐ -4L─ ─ ─ ─ ─ ─ ─ ─┌─┐─│ │-5L ✗ NO │ │ │a│◀┼─│ MATCH │ └────────────────┴─┴─┘ └─────────┘ *Line and column bounded proximity* `withinLines = 4` `withinColumns = 3` ┌────────┐ ┌─────┤fragment├─────┐ +4L ┌└────────┴ ┐ │ │ ┌─┐ │ ┌───────────────┐ │ │ │a│◀┼───┼─│+2L/+1C ✓ MATCH│ │ ┌─┐└─┘ │ └───────────────┘ 0L │ │p│ │ │ │ └─┘ │ │ │ │ │ ┌────────────┐ -4L ─ ─ ─ ─ ─ ─┌─┐ │ │-5L/+3C ✗ NO│ │ │a│◀┼─│ MATCH │ └───-3C────0L───+3C┴─┘ └────────────┘ ``` ### [`v8.27.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.27.2) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.27.1...v8.27.2) ##### Changelog - [`c7acf33`](https://github.com/gitleaks/gitleaks/commit/c7acf33) Merge branch 'master' of github.com:gitleaks/gitleaks - [`9faaa4a`](https://github.com/gitleaks/gitleaks/commit/9faaa4a) Add experimental allowlist optimizations ([#​1731](https://github.com/gitleaks/gitleaks/issues/1731)) - [`79068b3`](https://github.com/gitleaks/gitleaks/commit/79068b3) Detect Notion Public API Keys [#​1889](https://github.com/gitleaks/gitleaks/issues/1889) ([#​1890](https://github.com/gitleaks/gitleaks/issues/1890)) ### [`v8.27.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.27.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.27.0...v8.27.1) ##### Changelog - [`80468ef`](https://github.com/gitleaks/gitleaks/commit/80468ef) Merge branch 'master' of github.com:gitleaks/gitleaks - [`ef82237`](https://github.com/gitleaks/gitleaks/commit/ef82237) fix(atlassian): reduce false-positives for v1 pattern ([#​1892](https://github.com/gitleaks/gitleaks/issues/1892)) - [`2463f11`](https://github.com/gitleaks/gitleaks/commit/2463f11) Fix log suppresion issue ([#​1887](https://github.com/gitleaks/gitleaks/issues/1887)) - [`6f251ee`](https://github.com/gitleaks/gitleaks/commit/6f251ee) Added Heroku API Key New Version ([#​1883](https://github.com/gitleaks/gitleaks/issues/1883)) - [`20f9a1d`](https://github.com/gitleaks/gitleaks/commit/20f9a1d) Add Platform Bitbucket ([#​1886](https://github.com/gitleaks/gitleaks/issues/1886)) - [`722ce82`](https://github.com/gitleaks/gitleaks/commit/722ce82) Add Platform Gitea ([#​1884](https://github.com/gitleaks/gitleaks/issues/1884)) - [`79780b8`](https://github.com/gitleaks/gitleaks/commit/79780b8) Merge branch 'master' of github.com:gitleaks/gitleaks - [`c5683ca`](https://github.com/gitleaks/gitleaks/commit/c5683ca) prevent default warn message when max-archive-depth not set ([#​1881](https://github.com/gitleaks/gitleaks/issues/1881)) - [`0357c3c`](https://github.com/gitleaks/gitleaks/commit/0357c3c) prevent default warn message when max-archive-depth not set ### [`v8.27.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.27.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.26.0...v8.27.0) ##### Changelog - [`782f310`](https://github.com/gitleaks/gitleaks/commit/782f310) Archive support ([#​1872](https://github.com/gitleaks/gitleaks/issues/1872)) - [`489d13c`](https://github.com/gitleaks/gitleaks/commit/489d13c) Update README.md - [`d29ee55`](https://github.com/gitleaks/gitleaks/commit/d29ee55) Reduce aws-access-token false positives ([#​1876](https://github.com/gitleaks/gitleaks/issues/1876)) - [`611db65`](https://github.com/gitleaks/gitleaks/commit/611db65) Set `pass_filenames` to `false` for Docker hook ([#​1850](https://github.com/gitleaks/gitleaks/issues/1850)) - [`0589ae0`](https://github.com/gitleaks/gitleaks/commit/0589ae0) unicode decoding ([#​1854](https://github.com/gitleaks/gitleaks/issues/1854)) - [`82f7e32`](https://github.com/gitleaks/gitleaks/commit/82f7e32) Diagnostics ([#​1856](https://github.com/gitleaks/gitleaks/issues/1856)) - [`f97a9ee`](https://github.com/gitleaks/gitleaks/commit/f97a9ee) chore: include decoder in debug log ([#​1853](https://github.com/gitleaks/gitleaks/issues/1853)) Got another [@​bplaxco](https://github.com/bplaxco) release. Cheers! ##### Archive Scanning Sometimes secrets are packaged within archive files like zip files or tarballs, making them difficult to discover. Now you can tell gitleaks to automatically extract and scan the contents of archives. The flag `--max-archive-depth` enables this feature for both `dir` and `git` scan types. The default value of "0" means this feature is disabled by default. Recursive scanning is supported since archives can also contain other archives. The `--max-archive-depth` flag sets the recursion limit. Recursion stops when there are no new archives to extract, so setting a very high max depth just sets the potential to go that deep. It will only go as deep as it needs to. The findings for secrets located within an archive will include the path to the file inside the archive. Inner paths are separated with `!`. Example finding (shortened for brevity): ``` Finding: DB_PASSWORD=8ae31cacf141669ddfb5da ... File: testdata/archives/nested.tar.gz!archives/files.tar!files/.env.prod Line: 4 Commit: 6e6ee6596d337bb656496425fb98644eb62b4a82 ... Fingerprint: 6e6ee6596d337bb656496425fb98644eb62b4a82:testdata/archives/nested.tar.gz!archives/files.tar!files/.env.prod:generic-api-key:4 Link: https://github.com/leaktk/gitleaks/blob/6e6ee6596d337bb656496425fb98644eb62b4a82/testdata/archives/nested.tar.gz ``` This means a secret was detected on line 4 of `files/.env.prod.` which is in `archives/files.tar` which is in `testdata/archives/nested.tar.gz`. Currently supported formats: The [compression](https://github.com/mholt/archives?tab=readme-ov-file#supported-compression-formats) and [archive](https://github.com/mholt/archives?tab=readme-ov-file#supported-archive-formats) formats supported by mholt's [archives package](https://github.com/mholt/archives) are supported. ### [`v8.26.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.26.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.25.1...v8.26.0) ##### Changelog - [`78eebac`](https://github.com/gitleaks/gitleaks/commit/78eebac) Percent/URL Decoding Support ([#​1831](https://github.com/gitleaks/gitleaks/issues/1831)) - [`6f967ca`](https://github.com/gitleaks/gitleaks/commit/6f967ca) fix(kubernetes): remove slow element from pat ([#​1848](https://github.com/gitleaks/gitleaks/issues/1848)) - [`88f56d3`](https://github.com/gitleaks/gitleaks/commit/88f56d3) feat: identify slow file ([#​1479](https://github.com/gitleaks/gitleaks/issues/1479)) - [`9609928`](https://github.com/gitleaks/gitleaks/commit/9609928) rm 1password detect test since we test it in cfg gen - [`23cb69f`](https://github.com/gitleaks/gitleaks/commit/23cb69f) feat(rules): Add 1Password secret key detection ([#​1834](https://github.com/gitleaks/gitleaks/issues/1834)) Calling this one [@​bplaxco](https://github.com/bplaxco)'s release as he introduced a really clever method for mixed decoding without sacrificing too much performance. As I stated in his PR, I think he's either a wizard or some time traveling AI. Dude [is wicked smaht](https://www.youtube.com/watch?v=hIdsjNGCGz4) Anyways, Gitleaks now supports the following decoders: `hex`, `percent(url enconding)`, and `b64`. It's relatively straight forward to add a new decoder so if you're motivated, community contributions are welcomed! Here's an example: ``` ~/code/gitleaks-org/gitleaks (master) cat decode.txt text below aGVsbG8sIHdvcmxkIQ%3D%3D%0A text above ~/code/gitleaks-org/gitleaks (master) ./gitleaks dir decode.txt --max-decode-depth=2 --log-level=debug ○ │╲ │ ○ ○ ░ ░ gitleaks 4:08PM DBG using stdlib regex engine 4:08PM DBG unable to load gitleaks config from decode.txt/.gitleaks.toml since --source=decode.txt is a file, using default config 4:08PM DBG found .gitleaksignore file: .gitleaksignore 4:08PM DBG segment found: original=[29,38] pos=[29,38]: "%3D%3D%0A" -> "==\n" 4:08PM DBG segment found: original=[11,38] pos=[11,31]: "aGVsbG8sIHdvcmxkIQ==" -> "hello, world!" 4:08PM INF scanned ~50 bytes (50 bytes) in 1.5ms 4:08PM INF no leaks found ``` ### [`v8.25.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.25.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.25.0...v8.25.1) ##### Changelog - [`d1c7759`](https://github.com/gitleaks/gitleaks/commit/d1c7759) fix(detect): test all allowlists ([#​1845](https://github.com/gitleaks/gitleaks/issues/1845)) Big thanks [@​rgmz](https://github.com/rgmz) ### [`v8.25.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.25.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.24.3...v8.25.0) ##### Changelog - [`4451b45`](https://github.com/gitleaks/gitleaks/commit/4451b45) feat(config): define multiple global allowlists ([#​1777](https://github.com/gitleaks/gitleaks/issues/1777)) (cause for the minor bump change) - [`7fb21a4`](https://github.com/gitleaks/gitleaks/commit/7fb21a4) feat(rules): Add Perplexity AI API key detection ([#​1825](https://github.com/gitleaks/gitleaks/issues/1825)) - [`f6193bc`](https://github.com/gitleaks/gitleaks/commit/f6193bc) feat(gcp): increase rule entropy ([#​1840](https://github.com/gitleaks/gitleaks/issues/1840)) - [`9bc7257`](https://github.com/gitleaks/gitleaks/commit/9bc7257) Adding clickhouse scanner ([#​1826](https://github.com/gitleaks/gitleaks/issues/1826)) - [`b6cc71a`](https://github.com/gitleaks/gitleaks/commit/b6cc71a) fix(baseline): work with --redact ([#​1741](https://github.com/gitleaks/gitleaks/issues/1741)) - [`cfdeb0d`](https://github.com/gitleaks/gitleaks/commit/cfdeb0d) feat(rule): validate & sort rule when generating ([#​1817](https://github.com/gitleaks/gitleaks/issues/1817)) ### [`v8.24.3`](https://github.com/gitleaks/gitleaks/releases/tag/v8.24.3) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.24.2...v8.24.3) ##### Changelog - [`107a418`](https://github.com/gitleaks/gitleaks/commit/107a418) Add support for GitLab Runner Tokens (Routable) ([#​1820](https://github.com/gitleaks/gitleaks/issues/1820)) - [`7fac002`](https://github.com/gitleaks/gitleaks/commit/7fac002) bump repo version in pre-commit example ([#​1815](https://github.com/gitleaks/gitleaks/issues/1815)) - [`4b54104`](https://github.com/gitleaks/gitleaks/commit/4b54104) Fix currentLine out of bounds error ([#​1810](https://github.com/gitleaks/gitleaks/issues/1810)) - [`af7d5bc`](https://github.com/gitleaks/gitleaks/commit/af7d5bc) add support for Azure DevOps platform in SCM detection and link ([#​1807](https://github.com/gitleaks/gitleaks/issues/1807)) - [`3e8cd2d`](https://github.com/gitleaks/gitleaks/commit/3e8cd2d) Add MaxMind license key rule ([#​1771](https://github.com/gitleaks/gitleaks/issues/1771)) - [`ddcc753`](https://github.com/gitleaks/gitleaks/commit/ddcc753) implement new openai regex pattern ([#​1780](https://github.com/gitleaks/gitleaks/issues/1780)) - [`9708e65`](https://github.com/gitleaks/gitleaks/commit/9708e65) A first attempt adding hooks.slack.com/triggers/ ([#​1792](https://github.com/gitleaks/gitleaks/issues/1792)) - [`198e410`](https://github.com/gitleaks/gitleaks/commit/198e410) feat(generic): tweak false-positives ([#​1803](https://github.com/gitleaks/gitleaks/issues/1803)) - [`e273a97`](https://github.com/gitleaks/gitleaks/commit/e273a97) chore: tweak logging and readme for GITLEAKS\_CONFIG\_TOML feature ([#​1802](https://github.com/gitleaks/gitleaks/issues/1802)) - [`a503b58`](https://github.com/gitleaks/gitleaks/commit/a503b58) feat: add option to set config from env var with toml content ([#​1662](https://github.com/gitleaks/gitleaks/issues/1662)) ### [`v8.24.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.24.2) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.24.0...v8.24.2) ##### What's Changed - Fix `platform` flag being ignored with `gitleaks detect` by [@​rgmz](https://github.com/rgmz) in https://github.com/gitleaks/gitleaks/pull/1765 - Make AddFinding public by [@​bplaxco](https://github.com/bplaxco) in https://github.com/gitleaks/gitleaks/pull/1767 - FIX upgrade x/crypto to 0.31.0 to get rid of CVE-2024-45337 by [@​cgoessen](https://github.com/cgoessen) in https://github.com/gitleaks/gitleaks/pull/1768 - Upgrade rs/zerolog, spf13/cobra, and spf13/viper by [@​rgmz](https://github.com/rgmz) in https://github.com/gitleaks/gitleaks/pull/1769 - Infer `report-format` from `report-path` extension if no value is provided by [@​rgmz](https://github.com/rgmz) in https://github.com/gitleaks/gitleaks/pull/1776 - `generic-api-key`: ignore csrf-tokens by [@​rgmz](https://github.com/rgmz) in https://github.com/gitleaks/gitleaks/pull/1779 - Prevent Yocto/BitBake false positives with generic-api-key rule by [@​Okeanos](https://github.com/Okeanos) in https://github.com/gitleaks/gitleaks/pull/1783 - Fix decoded line allowlist by [@​zricethezav](https://github.com/zricethezav) in https://github.com/gitleaks/gitleaks/pull/1788 - Readme badge revisions by [@​jessp01](https://github.com/jessp01) in https://github.com/gitleaks/gitleaks/pull/1744 - feat(regexp): use standard regexp by default, make go-re2 opt-in by [@​twpayne](https://github.com/twpayne) in https://github.com/gitleaks/gitleaks/pull/1798 - gore2 release tags by [@​zricethezav](https://github.com/zricethezav) in https://github.com/gitleaks/gitleaks/pull/1801 ##### New Contributors - [@​cgoessen](https://github.com/cgoessen) made their first contribution in https://github.com/gitleaks/gitleaks/pull/1768 - [@​Okeanos](https://github.com/Okeanos) made their first contribution in https://github.com/gitleaks/gitleaks/pull/1783 - [@​jessp01](https://github.com/jessp01) made their first contribution in https://github.com/gitleaks/gitleaks/pull/1744 - [@​twpayne](https://github.com/twpayne) made their first contribution in https://github.com/gitleaks/gitleaks/pull/1798 **Full Changelog**: https://github.com/gitleaks/gitleaks/compare/v8.24.0...v8.24.2 ### [`v8.24.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.24.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.23.3...v8.24.0) ##### Changelog - [`c2afd56`](https://github.com/gitleaks/gitleaks/commit/c2afd56) Make paths and fingerprints platform-agnostic ([#​1622](https://github.com/gitleaks/gitleaks/issues/1622)) - [`818e32f`](https://github.com/gitleaks/gitleaks/commit/818e32f) Add Sonar rule ([#​1756](https://github.com/gitleaks/gitleaks/issues/1756)) - [`3fa5a3a`](https://github.com/gitleaks/gitleaks/commit/3fa5a3a) Minor false positive improvements ([#​1758](https://github.com/gitleaks/gitleaks/issues/1758)) - [`2020e6a`](https://github.com/gitleaks/gitleaks/commit/2020e6a) Add support for streaming DetectReader ([#​1760](https://github.com/gitleaks/gitleaks/issues/1760)) - [`9122a2d`](https://github.com/gitleaks/gitleaks/commit/9122a2d) chore: Update github.com/wasilibs/go-re2 to v1.9.0 ([#​1763](https://github.com/gitleaks/gitleaks/issues/1763)) - [`398d0c4`](https://github.com/gitleaks/gitleaks/commit/398d0c4) docs: describe extended rules take precedence over base rules ([#​1563](https://github.com/gitleaks/gitleaks/issues/1563)) - [`ae26eff`](https://github.com/gitleaks/gitleaks/commit/ae26eff) feat(git): disable link generation ([#​1748](https://github.com/gitleaks/gitleaks/issues/1748)) - [`c6424a6`](https://github.com/gitleaks/gitleaks/commit/c6424a6) added sourcegraph token rule ([#​1736](https://github.com/gitleaks/gitleaks/issues/1736)) - [`6411402`](https://github.com/gitleaks/gitleaks/commit/6411402) feat(config): add rule for .p12 files ([#​1738](https://github.com/gitleaks/gitleaks/issues/1738)) - [`d71d95d`](https://github.com/gitleaks/gitleaks/commit/d71d95d) add deno.lock to default exclusions ([#​1740](https://github.com/gitleaks/gitleaks/issues/1740)) ### [`v8.23.3`](https://github.com/gitleaks/gitleaks/releases/tag/v8.23.3) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.23.2...v8.23.3) ##### Changelog - [`3188ad6`](https://github.com/gitleaks/gitleaks/commit/3188ad6) Don't exit with error if git repacking is required ([#​1711](https://github.com/gitleaks/gitleaks/issues/1711)) - [`7fc11bb`](https://github.com/gitleaks/gitleaks/commit/7fc11bb) refactor(config): use non-capture groups for allowlists ([#​1735](https://github.com/gitleaks/gitleaks/issues/1735)) - [`36c52c6`](https://github.com/gitleaks/gitleaks/commit/36c52c6) chore: Enhance `curl-auth-user` to detect empty usernames or passwords ([#​1726](https://github.com/gitleaks/gitleaks/issues/1726)) - [`1f323d8`](https://github.com/gitleaks/gitleaks/commit/1f323d8) fix(cmd): read log-opts before GitLogCmd ([#​1730](https://github.com/gitleaks/gitleaks/issues/1730)) ### [`v8.23.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.23.2) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.23.1...v8.23.2) ##### Changelog - [`d88bc09`](https://github.com/gitleaks/gitleaks/commit/d88bc09) facebook keyword - [`3fdaefd`](https://github.com/gitleaks/gitleaks/commit/3fdaefd) fix(meraki): restrict keyword case ([#​1722](https://github.com/gitleaks/gitleaks/issues/1722)) - [`f3ae52e`](https://github.com/gitleaks/gitleaks/commit/f3ae52e) feat(generic-api-key): detect base64 ([#​1598](https://github.com/gitleaks/gitleaks/issues/1598)) - [`d6a828a`](https://github.com/gitleaks/gitleaks/commit/d6a828a) great branch name ([#​1721](https://github.com/gitleaks/gitleaks/issues/1721)) - [`d2ffffe`](https://github.com/gitleaks/gitleaks/commit/d2ffffe) fix(git): remove .git suffix for links ([#​1716](https://github.com/gitleaks/gitleaks/issues/1716)) - [`a43dc0d`](https://github.com/gitleaks/gitleaks/commit/a43dc0d) chore: refine generic-api-key fps + trace logging ([#​1720](https://github.com/gitleaks/gitleaks/issues/1720)) - [`69ed20e`](https://github.com/gitleaks/gitleaks/commit/69ed20e) fix(generate): move newline out of char range ([#​1719](https://github.com/gitleaks/gitleaks/issues/1719)) - [`52b895a`](https://github.com/gitleaks/gitleaks/commit/52b895a) newline literal ([#​1718](https://github.com/gitleaks/gitleaks/issues/1718)) - [`3f4d91f`](https://github.com/gitleaks/gitleaks/commit/3f4d91f) build: support either stdlib or 3rd-party regexp ([#​1706](https://github.com/gitleaks/gitleaks/issues/1706)) - [`049f5b2`](https://github.com/gitleaks/gitleaks/commit/049f5b2) chore(detect): update trace logging ([#​1713](https://github.com/gitleaks/gitleaks/issues/1713)) - [`7a6183d`](https://github.com/gitleaks/gitleaks/commit/7a6183d) feat(git): redact passwords from remote URL ([#​1709](https://github.com/gitleaks/gitleaks/issues/1709)) - [`3c7f3f0`](https://github.com/gitleaks/gitleaks/commit/3c7f3f0) feat(git): include link in report ([#​1698](https://github.com/gitleaks/gitleaks/issues/1698)) - [`0e3f4f7`](https://github.com/gitleaks/gitleaks/commit/0e3f4f7) chore: reduce generic-api-key fps ([#​1707](https://github.com/gitleaks/gitleaks/issues/1707)) - [`3ed8567`](https://github.com/gitleaks/gitleaks/commit/3ed8567) blorp - [`e977850`](https://github.com/gitleaks/gitleaks/commit/e977850) added new rule for cisco meraki api key ([#​1700](https://github.com/gitleaks/gitleaks/issues/1700)) - [`ad7a4fb`](https://github.com/gitleaks/gitleaks/commit/ad7a4fb) feat: general fp tweaks ([#​1703](https://github.com/gitleaks/gitleaks/issues/1703)) - [`b2cf03c`](https://github.com/gitleaks/gitleaks/commit/b2cf03c) chore(generate): use \x60 instead of literal ([#​1702](https://github.com/gitleaks/gitleaks/issues/1702)) - [`a3f623c`](https://github.com/gitleaks/gitleaks/commit/a3f623c) chore(regex): simplify secretPrefix, suffix ([#​1620](https://github.com/gitleaks/gitleaks/issues/1620)) - [`cc71bb1`](https://github.com/gitleaks/gitleaks/commit/cc71bb1) update version for pre-commit in README.md ([#​1699](https://github.com/gitleaks/gitleaks/issues/1699)) ### [`v8.23.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.23.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.23.0...v8.23.1) ##### Changelog - [`7bad9f7`](https://github.com/gitleaks/gitleaks/commit/7bad9f7) chore(gcp): add firebase example keys to the gcp-api-key allowlists ([#​1635](https://github.com/gitleaks/gitleaks/issues/1635)) - [`977236c`](https://github.com/gitleaks/gitleaks/commit/977236c) fix: unaligned 64-bit atomic operation panic ([#​1696](https://github.com/gitleaks/gitleaks/issues/1696)) - [`a211b16`](https://github.com/gitleaks/gitleaks/commit/a211b16) force push to master everyday - [`0e5f644`](https://github.com/gitleaks/gitleaks/commit/0e5f644) feat(config): disable extended rule ([#​1535](https://github.com/gitleaks/gitleaks/issues/1535)) - [`f320a60`](https://github.com/gitleaks/gitleaks/commit/f320a60) style: prevent globbing and word splitting ([#​1543](https://github.com/gitleaks/gitleaks/issues/1543)) - [`c4526b2`](https://github.com/gitleaks/gitleaks/commit/c4526b2) refactor(generic-api-key): remove hard-coded 'magic' ([#​1600](https://github.com/gitleaks/gitleaks/issues/1600)) - [`748076d`](https://github.com/gitleaks/gitleaks/commit/748076d) chore(generate): add failing test case ([#​1690](https://github.com/gitleaks/gitleaks/issues/1690)) ### [`v8.23.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.23.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.22.1...v8.23.0) ##### Changelog - [`db8e5e6`](https://github.com/gitleaks/gitleaks/commit/db8e5e6) feat(generate): use multiple allowlists ([#​1691](https://github.com/gitleaks/gitleaks/issues/1691)) - [`973c794`](https://github.com/gitleaks/gitleaks/commit/973c794) chore(rules): include fps in reference ([#​1471](https://github.com/gitleaks/gitleaks/issues/1471)) - [`f0d4499`](https://github.com/gitleaks/gitleaks/commit/f0d4499) Add comma as operator for GenerateSemiGenericRegex ([#​1679](https://github.com/gitleaks/gitleaks/issues/1679)) - [`ab38a46`](https://github.com/gitleaks/gitleaks/commit/ab38a46) refactor: central logger ([#​1692](https://github.com/gitleaks/gitleaks/issues/1692)) - [`b022d1c`](https://github.com/gitleaks/gitleaks/commit/b022d1c) friendship ended with tines READ THIS!!! The default gitleaks config now uses `[[rules.allowlists]]` ```toml ##### ⚠️ In v8.21.0 `[rules.allowlist]` was replaced with `[[rules.allowlists]]`. ##### This change was backwards-compatible: instances of `[rules.allowlist]` still work. # ##### You can define multiple allowlists for a rule to reduce false positives. ##### A finding will be ignored if _ANY_ `[[rules.allowlists]]` matches. [[rules.allowlists]] description = "ignore commit A" ##### When multiple criteria are defined the default condition is "OR". ##### e.g., this can match on |commits| OR |paths| OR |stopwords|. condition = "OR" commits = [ "commit-A", "commit-B"] paths = [ '''go\.mod''', '''go\.sum''' ] ##### note: stopwords targets the extracted secret, not the entire regex match ##### like 'regexes' does. (stopwords introduced in 8.8.0) stopwords = [ '''client''', '''endpoint''', ] [[rules.allowlists]] ##### The "AND" condition can be used to make sure all criteria match. ##### e.g., this matches if |regexes| AND |paths| are satisfied. condition = "AND" ##### note: |regexes| defaults to check the _Secret_ in the finding. ##### Acceptable values for |regexTarget| are "secret" (default), "match", and "line". regexTarget = "match" regexes = [ '''(?i)parseur[il]''' ] paths = [ '''package-lock\.json''' ] ``` ### [`v8.22.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.22.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.22.0...v8.22.1) ##### Changelog - [`b69b515`](https://github.com/gitleaks/gitleaks/commit/b69b515) Entropy trace ([#​1659](https://github.com/gitleaks/gitleaks/issues/1659)) - [`7357adc`](https://github.com/gitleaks/gitleaks/commit/7357adc) build: add 'toolchain' to go.mod ([#​1682](https://github.com/gitleaks/gitleaks/issues/1682)) - [`4c3da6e`](https://github.com/gitleaks/gitleaks/commit/4c3da6e) refactor(detect): create readUntilSafeBoundary + add tests ([#​1676](https://github.com/gitleaks/gitleaks/issues/1676)) - [`dbe3746`](https://github.com/gitleaks/gitleaks/commit/dbe3746) twitter really does suck ass now - [`7edfc6b`](https://github.com/gitleaks/gitleaks/commit/7edfc6b) chore(tests): test cases for generate.go ([#​1623](https://github.com/gitleaks/gitleaks/issues/1623)) - [`efe40ca`](https://github.com/gitleaks/gitleaks/commit/efe40ca) fix: only use non-empty secret groups ([#​1632](https://github.com/gitleaks/gitleaks/issues/1632)) - [`7cb5f6f`](https://github.com/gitleaks/gitleaks/commit/7cb5f6f) build: upgrade sprig v2->v3 ([#​1674](https://github.com/gitleaks/gitleaks/issues/1674)) - [`2930537`](https://github.com/gitleaks/gitleaks/commit/2930537) fix: generate report file even if no findings ([#​1673](https://github.com/gitleaks/gitleaks/issues/1673)) ### [`v8.22.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.22.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.4...v8.22.0) ##### Changelog - [`a91c671`](https://github.com/gitleaks/gitleaks/commit/a91c671) replace std library regex engine with go-re2 ([#​1669](https://github.com/gitleaks/gitleaks/issues/1669)) *** This bumps the gitleaks binary size from around 8.5MB to 15MB but yields 2-4x speedup. Worth it imo. If you feel strongly against this change feel free to open an issue where we can discuss the tradeoffs in more depth. Credit to [@​ahrav](https://github.com/ahrav) ### [`v8.21.4`](https://github.com/gitleaks/gitleaks/releases/tag/v8.21.4) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.3...v8.21.4) ##### Changelog - [`906085f`](https://github.com/gitleaks/gitleaks/commit/906085f) Update golang version to 1.23 ([#​1672](https://github.com/gitleaks/gitleaks/issues/1672)) - [`8a83062`](https://github.com/gitleaks/gitleaks/commit/8a83062) log bytes ([#​1670](https://github.com/gitleaks/gitleaks/issues/1670)) ### [`v8.21.3`](https://github.com/gitleaks/gitleaks/releases/tag/v8.21.3) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.2...v8.21.3) ##### Changelog - [`a9e6d8c`](https://github.com/gitleaks/gitleaks/commit/a9e6d8c) go mod 1.23 - [`2f73a3e`](https://github.com/gitleaks/gitleaks/commit/2f73a3e) Ensure keywords are downcased ([#​1633](https://github.com/gitleaks/gitleaks/issues/1633)) - [`f696605`](https://github.com/gitleaks/gitleaks/commit/f696605) feat: add settlemint api keys detection ([#​1663](https://github.com/gitleaks/gitleaks/issues/1663)) - [`0bf13fc`](https://github.com/gitleaks/gitleaks/commit/0bf13fc) feat(dir): better chunking ([#​1665](https://github.com/gitleaks/gitleaks/issues/1665)) - [`83e99ba`](https://github.com/gitleaks/gitleaks/commit/83e99ba) feat(report): allow user-defined templates ([#​1650](https://github.com/gitleaks/gitleaks/issues/1650)) - [`e393d29`](https://github.com/gitleaks/gitleaks/commit/e393d29) Add support for GitLab routable tokens ([#​1656](https://github.com/gitleaks/gitleaks/issues/1656)) - [`263ce82`](https://github.com/gitleaks/gitleaks/commit/263ce82) Add freemius secret key detection ([#​1611](https://github.com/gitleaks/gitleaks/issues/1611)) - [`3c0e068`](https://github.com/gitleaks/gitleaks/commit/3c0e068) fix(kubernetes): only match 'kind: secret' ([#​1649](https://github.com/gitleaks/gitleaks/issues/1649)) - [`f3adda0`](https://github.com/gitleaks/gitleaks/commit/f3adda0) feat: use STDOUT when report file not specified ([#​1642](https://github.com/gitleaks/gitleaks/issues/1642)) - [`ed205a5`](https://github.com/gitleaks/gitleaks/commit/ed205a5) fix(dir): skip opening file\&dir if allowlist matches ([#​1653](https://github.com/gitleaks/gitleaks/issues/1653)) - [`6018012`](https://github.com/gitleaks/gitleaks/commit/6018012) fix: increase chunk size 10kb -> 100kb ([#​1652](https://github.com/gitleaks/gitleaks/issues/1652)) - [`7f77987`](https://github.com/gitleaks/gitleaks/commit/7f77987) feat: detect sentry.io tokens in the new format ([#​1640](https://github.com/gitleaks/gitleaks/issues/1640)) - [`48a2e0e`](https://github.com/gitleaks/gitleaks/commit/48a2e0e) refactor: pre-commit hooks ([#​1627](https://github.com/gitleaks/gitleaks/issues/1627)) - [`4e303d0`](https://github.com/gitleaks/gitleaks/commit/4e303d0) fix(easypost): only detect tokens of correct length ([#​1628](https://github.com/gitleaks/gitleaks/issues/1628)) - [`c1add1d`](https://github.com/gitleaks/gitleaks/commit/c1add1d) feat(dir): continue on permission error ([#​1621](https://github.com/gitleaks/gitleaks/issues/1621)) - [`202106a`](https://github.com/gitleaks/gitleaks/commit/202106a) Add human readable description for curl rules ([#​1625](https://github.com/gitleaks/gitleaks/issues/1625)) - [`8e94f98`](https://github.com/gitleaks/gitleaks/commit/8e94f98) Add option to include `Line` field in report ([#​1616](https://github.com/gitleaks/gitleaks/issues/1616)) - [`dbb42a7`](https://github.com/gitleaks/gitleaks/commit/dbb42a7) hm (great comment) - [`2599460`](https://github.com/gitleaks/gitleaks/commit/2599460) Update README.md - [`8ffb980`](https://github.com/gitleaks/gitleaks/commit/8ffb980) nop for stupid build - [`4181ad6`](https://github.com/gitleaks/gitleaks/commit/4181ad6) Add new jira api token pattern ([#​1601](https://github.com/gitleaks/gitleaks/issues/1601)) - [`48ea14b`](https://github.com/gitleaks/gitleaks/commit/48ea14b) feat: update global & generic allowlist ([#​1618](https://github.com/gitleaks/gitleaks/issues/1618)) - [`81f0002`](https://github.com/gitleaks/gitleaks/commit/81f0002) fix(vault-service-token): ensure that TPS contains digits ([#​1614](https://github.com/gitleaks/gitleaks/issues/1614)) - [`c11adc9`](https://github.com/gitleaks/gitleaks/commit/c11adc9) Generate comprehensive secret samples ([#​1484](https://github.com/gitleaks/gitleaks/issues/1484)) - [`d1d9054`](https://github.com/gitleaks/gitleaks/commit/d1d9054) fix(aws): detect token in url ([#​1615](https://github.com/gitleaks/gitleaks/issues/1615)) - [`5fe58bf`](https://github.com/gitleaks/gitleaks/commit/5fe58bf) fix(rules): entropy, uppercase in samples ([#​1593](https://github.com/gitleaks/gitleaks/issues/1593)) - [`5c2e813`](https://github.com/gitleaks/gitleaks/commit/5c2e813) feat: tweak rules ([#​1608](https://github.com/gitleaks/gitleaks/issues/1608)) ### [`v8.21.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.21.2) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.1...v8.21.2) ##### Changelog - [`43fae35`](https://github.com/gitleaks/gitleaks/commit/43fae35) feat(rules): create Octopus Deploy api key ([#​1602](https://github.com/gitleaks/gitleaks/issues/1602)) - [`a158e4f`](https://github.com/gitleaks/gitleaks/commit/a158e4f) fix(aws-access-token): only match if correct length ([#​1584](https://github.com/gitleaks/gitleaks/issues/1584)) - [`b6e0eee`](https://github.com/gitleaks/gitleaks/commit/b6e0eee) fix(config): ignore jquery/swagger w/o version ([#​1607](https://github.com/gitleaks/gitleaks/issues/1607)) - [`722e7d8`](https://github.com/gitleaks/gitleaks/commit/722e7d8) feat: add new GitLab tokens ([#​1560](https://github.com/gitleaks/gitleaks/issues/1560)) - [`961f2e6`](https://github.com/gitleaks/gitleaks/commit/961f2e6) feat(generic-api-key): tune false positives ([#​1606](https://github.com/gitleaks/gitleaks/issues/1606)) - [`e734fcf`](https://github.com/gitleaks/gitleaks/commit/e734fcf) Create .gitleaks.toml ([#​1605](https://github.com/gitleaks/gitleaks/issues/1605)) - [`7206d6b`](https://github.com/gitleaks/gitleaks/commit/7206d6b) feat(curl): tweak tps and fps ([#​1603](https://github.com/gitleaks/gitleaks/issues/1603)) - [`2db25f1`](https://github.com/gitleaks/gitleaks/commit/2db25f1) feat(config): ignore swagger-ui assets ([#​1604](https://github.com/gitleaks/gitleaks/issues/1604)) - [`e97695b`](https://github.com/gitleaks/gitleaks/commit/e97695b) feat(generic-api-key): exclude keywords ([#​1587](https://github.com/gitleaks/gitleaks/issues/1587)) - [`0afb525`](https://github.com/gitleaks/gitleaks/commit/0afb525) feat(okta): bump entropy to 4 ([#​1599](https://github.com/gitleaks/gitleaks/issues/1599)) - [`2068870`](https://github.com/gitleaks/gitleaks/commit/2068870) feat: update global allowlist ([#​1597](https://github.com/gitleaks/gitleaks/issues/1597)) - [`8cf93b9`](https://github.com/gitleaks/gitleaks/commit/8cf93b9) refactor(allowlist): deduplicate commits & keywords ([#​1596](https://github.com/gitleaks/gitleaks/issues/1596)) - [`50c2818`](https://github.com/gitleaks/gitleaks/commit/50c2818) feat(config): ignore jquery static assets ([#​1595](https://github.com/gitleaks/gitleaks/issues/1595)) - [`455ae0a`](https://github.com/gitleaks/gitleaks/commit/455ae0a) More rule fixes ([#​1586](https://github.com/gitleaks/gitleaks/issues/1586)) - [`5407c44`](https://github.com/gitleaks/gitleaks/commit/5407c44) chore: log skipped symlinks ([#​1591](https://github.com/gitleaks/gitleaks/issues/1591)) - [`d03d6c4`](https://github.com/gitleaks/gitleaks/commit/d03d6c4) feat: match left side of identifier ([#​1585](https://github.com/gitleaks/gitleaks/issues/1585)) - [`851c11a`](https://github.com/gitleaks/gitleaks/commit/851c11a) what secrets? - [`8cfa6b2`](https://github.com/gitleaks/gitleaks/commit/8cfa6b2) fix(rules): add entropy ([#​1580](https://github.com/gitleaks/gitleaks/issues/1580)) - [`9152eaa`](https://github.com/gitleaks/gitleaks/commit/9152eaa) feat(aws): add entropy & allowlist ([#​1582](https://github.com/gitleaks/gitleaks/issues/1582)) - [`93acc6e`](https://github.com/gitleaks/gitleaks/commit/93acc6e) feat(rules): add 1password token ([#​1583](https://github.com/gitleaks/gitleaks/issues/1583)) - [`83a5724`](https://github.com/gitleaks/gitleaks/commit/83a5724) feat(config): add curl header rule ([#​1576](https://github.com/gitleaks/gitleaks/issues/1576)) ### [`v8.21.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.21.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.0...v8.21.1) ##### Changelog - [`cf5334f`](https://github.com/gitleaks/gitleaks/commit/cf5334f) feat: add curl basic auth rule ([#​1575](https://github.com/gitleaks/gitleaks/issues/1575)) - [`d07b394`](https://github.com/gitleaks/gitleaks/commit/d07b394) Update spelling in README.md ([#​1574](https://github.com/gitleaks/gitleaks/issues/1574)) - [`5c03fa4`](https://github.com/gitleaks/gitleaks/commit/5c03fa4) refactor(allowlist): use iota for condition ([#​1569](https://github.com/gitleaks/gitleaks/issues/1569)) - [`12034a7`](https://github.com/gitleaks/gitleaks/commit/12034a7) refactor(config): temporarily switch to \[rules.allowlist] ([#​1573](https://github.com/gitleaks/gitleaks/issues/1573)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: https://git.unespace.com/julien/apf_portal/pulls/79 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
4473b1d4a4 |
chore(ci): track trivy and gitleaks binary versions via renovate custom manager (#78)
## Summary Until now the Trivy and gitleaks pins in `.gitea/workflows/*.yml` were manual — Renovate's built-in managers only see package-manager-tracked deps (npm, docker-compose images, GitHub Actions, etc.) and ignore plain env vars. The comment in each workflow telling the next contributor to "bump manually from the releases page" is the kind of friction that gets forgotten between two security advisories. Add a **custom regex manager** that picks up `# renovate: datasource=… depName=…` annotations immediately followed by an env-var assignment of the form `<NAME>_VERSION: '<version>'`. The 4 pins (`TRIVY_VERSION` + `GITLEAKS_VERSION` in both `ci.yml` and `security-scheduled.yml`) get annotated with the `github-releases` datasource and the upstream `owner/repo` depName. `extractVersionTemplate: ^v?(?<version>.+)$` strips the `v` prefix used by both projects' release tags, so the version substituted into the env var (which our shell script consumes without `v`) stays correct. ## What lands - **`renovate.json`** — new `customManagers` block. The dashboard triage header is updated to reflect the new tracking (was "not Renovate-tracked yet"). - **`.gitea/workflows/ci.yml`** — annotate the Trivy and gitleaks env vars; remove the dead "manual bump" comments. - **`.gitea/workflows/security-scheduled.yml`** — same. ## Verified Node-side dry-run of the regex against both workflow files: ``` ci.yml → trivy 0.70.0, gitleaks 8.21.0 security-scheduled.yml → trivy 0.70.0, gitleaks 8.21.0 ``` All 4 expected matches with the right `datasource` / `depName` / `currentValue` captures. ## Test plan - [ ] CI green on this PR. - [ ] After merge, the next Renovate run picks up Trivy and gitleaks as detected dependencies in the dashboard. New patch / minor releases should now produce normal Renovate PRs (auto-merging on patches per #74). - [ ] No manual "bump from the releases page" reminders left in the workflow YAML. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #78 |
||
|
|
a0e8e095d0 |
fix(ci): run scanners before pnpm install to avoid node_modules false positives (#51)
## Summary First successful gitleaks run flagged **381 "leaks"** — all inside `node_modules/` and `.pnpm-store/`, populated by the `pnpm install --frozen-lockfile` step that ran earlier in the job. Upstream npm packages routinely embed demo RSA keys / fake API tokens in their READMEs and test fixtures, and gitleaks correctly (by its rules) flags them. Same class of false-positive Trivy hit in #49 — solved there by `--scanners vuln`. Here, the cleanest solution is **reordering**: run the scanners *before* `pnpm install`, so the working tree contains only our committed source. - **Trivy** scans `pnpm-lock.yaml` (committed) — doesn't need install. - **Gitleaks** scans the working tree (`--no-git --source .` in ci.yml) — doesn't need install. - **pnpm audit** reads `pnpm-lock.yaml` against the advisory DB — also doesn't need install. The install before audit remains for the workspace-integrity sanity check. The ordering rationale is committed as a comment at the top of each job's `steps:` block, so a future contributor doesn't innocently shuffle the steps and re-flood the gate with FPs. Same reordering applied to `.gitea/workflows/security-scheduled.yml` for consistency, even though its deep-history gitleaks scan doesn't suffer this issue (`node_modules` is `.gitignore`d from day one — never in history). ## Test plan - [ ] `scan` job goes green end-to-end on this PR — gitleaks reports 0 leaks (or only real ones from our source, none expected). - [ ] On `push` to main post-merge, scan stays green. - [ ] Trigger `security-scheduled` manually before next Monday's cron to verify the same ordering doesn't break the deep scan. ## After this PR With #43 (TS/ESLint reverts), #45 (Trivy install), #49 (Trivy `--scanners vuln`), #50 (gitleaks install), and now this — every gate of the CI pipeline should be green end-to-end. Phase-1 CI bring-up is then complete and we can move to **A — local infra recipe** (Postgres + Redis + OTel Collector). --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #51 |
||
|
|
0d27f835c3 |
fix(ci): replace gitleaks-action with manual install (#50)
## Summary `gitleaks/gitleaks-action@v2` is now paywalled for organisations — the action requires a `GITLEAKS_LICENSE` secret from gitleaks.io (commercial) or it errors out: ``` 🛑 missing gitleaks license. Go grab one at gitleaks.io and store it as a GitHub Secret named GITLEAKS_LICENSE. ``` Worse, on Gitea it cannot reliably detect personal-vs-org accounts (different API contract), so it defaults to license enforcement and the scan always fails. The **gitleaks binary itself stays MIT-licensed and free** — only the wrapper went commercial. Mirror the pattern from #45 (Trivy): drop the wrapper, install the binary directly via curl + tar, run the CLI. ## Scope of the PR The same two broken integrations existed in `.gitea/workflows/security-scheduled.yml` and would have failed silently at next Monday's cron. Fix both files in one PR for consistency. - **`ci.yml`** — gitleaks step replaced. Per-PR scan uses `--no-git --source .` (working tree only — the scan job uses a shallow checkout anyway). - **`security-scheduled.yml`** — both gitleaks AND trivy steps replaced; `fetch-depth: 0` added so gitleaks can do its **deep history scan** here (the value-add of the scheduled job over the per-PR gate); `cache: 'pnpm'` dropped from `actions/setup-node` (consistency with #8 — the act_runner cache server is unreachable from job containers). - `--redact` on both gitleaks invocations so any matched secret is masked in the CI log itself (avoids re-leaking via log artefacts). ## Trade-off Like Trivy, gitleaks version is now manually pinned. Same comment in the workflow points to releases for bumps. ## Test plan - [ ] `scan` job goes green end-to-end on this PR (audit ✓, Trivy ✓, gitleaks ✓). - [ ] `gitleaks version` line in the install step's logs shows `8.21.0`. - [ ] On `push` to main post-merge, scan stays green. - [ ] Trigger `security-scheduled` manually (Actions → Run workflow) to verify the deep-history scan path before next Monday's cron fires. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #50 |
||
|
|
6fc26db1b5 |
fix(ci): restrict Trivy to vulnerability scanner only (#48)
## Summary First successful Trivy run (post #45's manual install) came back red on three "secret" findings — all demo RSA private keys embedded in the README / test fixtures of a cryptographic npm package, sitting deep in `.pnpm-store/v10/files/...`. None of them are our secrets. Two observations: - The `scan` job already chains `gitleaks/gitleaks-action@v2` right after Trivy. Running two secret scanners over the same tree just doubles the false-positive surface. - Trivy's own log suggests `--scanners vuln` when secret scanning isn't the focus. And [ADR-0015](docs/decisions/0015-cicd-gitea-actions.md) always framed this step as "dependency vulnerability scan" — singular. Restrict Trivy to `--scanners vuln`. Result: vuln scan against `pnpm-lock.yaml` complementing `pnpm audit` (which uses the npm advisory DB; Trivy's DB is broader, sources from OSV/GHSA/etc.). Gitleaks stays the single secret-scan source. No `--skip-dirs` change needed: vuln scanning reads `pnpm-lock.yaml`, not the unpacked store. ## Test plan - [ ] `scan` job goes green end-to-end on this PR — `pnpm ci:audit` ✓, `Install Trivy` ✓, `Run Trivy` ✓ (no secret findings reported), `gitleaks` ✓. - [ ] On `push` to main post-merge, scan stays green. - [ ] Future Trivy bumps (manual, see workflow comment) keep this `--scanners vuln` flag. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #48 |
||
|
|
57a08c3b71 |
fix(ci): replace trivy-action with manual curl install (#45)
## Summary PR #44's `GITHUB_TOKEN` env injection didn't actually authenticate the github.com clone. Root cause: `aquasecurity/trivy-action` wraps `actions/checkout`, whose `with.token` input defaults to `${{ github.token }}` (Gitea's auto-token, useless against github.com), and that wins over our env var. The clone keeps hitting the anonymous rate limit. Rather than fight the action's internals (`INPUT_TOKEN` overrides, `git config insteadOf` injection, etc.), drop it and install Trivy directly via `curl + tar` from the GitHub release artefact. ## Side benefits - **Version pinned** (`TRIVY_VERSION=0.70.0`) — no more `@master`. Moving-target tags are exactly what bit us in #43 (the TS6 / ESLint10 / webpack-cli7 mess); not adding a new instance of the same anti-pattern. - **Predictable** — straight curl + tar, no third-party action indirection to debug. - `GITHUBCOM_TOKEN` passed as Bearer header on the curl — defensive: release artefact downloads are usually unmetered, but auth is free insurance against rate-limit surprises. ## Trade-off Trivy version bumps become manual. Renovate can't track this pin out of the box. A custom regex manager in `renovate.json` could be added later if the cadence justifies it; for now, manual review of [Trivy releases](https://github.com/aquasecurity/trivy/releases) every few months is acceptable. ## Test plan - [ ] `scan` job goes green on this PR — both `Install Trivy` and `Run Trivy` steps succeed. - [ ] `trivy --version` in the install step's logs reports `0.70.0`. - [ ] No regression on the `pnpm ci:audit` or `gitleaks` sub-steps of `scan`. - [ ] On `push` to main post-merge, scan stays green. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #45 |
||
|
|
6153c81602 |
fix(ci): authenticate trivy-action's github.com clone (#44)
## Summary On cache miss, `aquasecurity/trivy-action@master` falls back to `git clone https://github.com/aquasecurity/trivy` to fetch its install script. Our act_runner cache server is currently unreachable from job containers (documented as "Cache server (deferred)" in `infra/README.md`), so every CI run is a cache miss, every run does the clone, and every clone hits github.com's 60 req/h anonymous rate limit: Pass `GITHUBCOM_TOKEN` (same zero-scope github.com PAT used for Renovate) as `GITHUB_TOKEN` env on the trivy step. The action picks it up automatically and authenticates the clone, lifting the rate limit from 60 → 5 000 req/h. ## Test plan - [ ] `scan` job goes green on this PR (the trivy step in particular). - [ ] On `push` to main post-merge, scan stays green. - [ ] No regression on the audit / gitleaks sub-steps of `scan`. ## Related - The deeper fix (re-enabling the act_runner cache server so trivy gets a real cache hit and skips the clone entirely) is tracked as "Cache server (deferred)" in `infra/README.md`. Worth doing eventually; this PR is the surgical fix. - The `@master` pin on the trivy-action is also worth replacing with a tagged version (`renovate.json` will surface bumps once we lift the major-dashboard gate for it). Out of scope for this PR. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #44 |
||
|
|
3e4c580519 |
chore(deps): update pnpm/action-setup action to v6 (#37)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [pnpm/action-setup](https://github.com/pnpm/action-setup) | action | major | `v3` -> `v6` | --- ### Release Notes <details> <summary>pnpm/action-setup (pnpm/action-setup)</summary> ### [`v6`](https://github.com/pnpm/action-setup/compare/v5...v6) [Compare Source](https://github.com/pnpm/action-setup/compare/v5...v6) ### [`v5`](https://github.com/pnpm/action-setup/compare/v4...v5) [Compare Source](https://github.com/pnpm/action-setup/compare/v4...v5) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: #37 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
9fbf37c2ef |
chore(deps): update actions/upload-artifact action to v7 (#28)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/upload-artifact](https://github.com/actions/upload-artifact) | action | major | `v4` -> `v7` | --- ### Release Notes <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v7`](https://github.com/actions/upload-artifact/compare/v6...v7) [Compare Source](https://github.com/actions/upload-artifact/compare/v6...v7) ### [`v6`](https://github.com/actions/upload-artifact/compare/v5...v6) [Compare Source](https://github.com/actions/upload-artifact/compare/v5...v6) ### [`v5`](https://github.com/actions/upload-artifact/compare/v4...v5) [Compare Source](https://github.com/actions/upload-artifact/compare/v4...v5) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: #28 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
4244f63831 |
chore(deps): update actions/setup-node action to v6 (#27)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-node](https://github.com/actions/setup-node) | action | major | `v4` -> `v6` | --- ### Release Notes <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v6`](https://github.com/actions/setup-node/compare/v5...v6) [Compare Source](https://github.com/actions/setup-node/compare/v5...v6) ### [`v5`](https://github.com/actions/setup-node/compare/v4...v5) [Compare Source](https://github.com/actions/setup-node/compare/v4...v5) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: #27 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
adc14c14e0 |
chore(deps): update actions/checkout action to v6 (#26)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://github.com/actions/checkout) | action | major | `v4` -> `v6` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v6`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v602) [Compare Source](https://github.com/actions/checkout/compare/v5...v6) - Fix tag handling: preserve annotations and explicit fetch-tags by [@​ericsciple](https://github.com/ericsciple) in https://github.com/actions/checkout/pull/2356 ### [`v5`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v501) [Compare Source](https://github.com/actions/checkout/compare/v4...v5) - Port v6 cleanup to v5 by [@​ericsciple](https://github.com/ericsciple) in https://github.com/actions/checkout/pull/2301 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: #26 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
f9ed3cf82a |
chore(ci): skip perf and commits gates on Renovate-authored PRs (#23)
## Summary Renovate's dep-bump PRs run the full pipeline today (`check`, `scan`, `commits`, `perf`, `a11y`). Two of those gates have near-zero signal on a typical bump and dominate the wall-clock cost: - **`perf`** — Lighthouse build + 3-iteration median across the critical-routes list. 3-5 min per PR for a metric that is essentially zero on a patch/minor dep bump (the SPA today serves the static placeholder; even with real routes a typical bump stays inside the median noise floor). - **`commits`** — re-validates commit messages that Renovate generates from a Conventional-Commits-conformant template. Tautological. Skip both when the PR author is the `apf-portal-bot` Gitea user. The `push` event on `main` still runs the full pipeline post-merge, so any regression caught by `perf` is detected seconds after merge — fast enough to revert. Net result: Renovate PRs run `check + scan + a11y` only, ≈ 4-5 min faster per PR. ## ADR amendment ADR-0017 is amended in the same change: - "Where Lighthouse CI runs" table now distinguishes human PR / bot PR / push to main / scheduled / local. - New "Pre-merge gating policy: human PRs vs bot PRs" subsection records the rationale and the human-takeover edge case. - §Confirmation entry for `perf` is reworded to reflect the conditional gate. ## Test plan - [ ] After merge, the next Renovate-triggered PR (auto-rebase or new bump) shows only `check`, `scan`, `a11y` queued — no `perf`, no `commits`. - [ ] A human-opened PR (e.g. this one) still queues all 5 gates. - [ ] On `push` to `main` post-merge, the full pipeline runs including `perf`. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #23 |
||
|
|
f58cf13e33 |
fix(ci): give Renovate a git identity and a github.com token (#13)
## Summary First successful Renovate run (after the docker-image fix in #12) extracted 116 deps cleanly but every branch update failed with `fatal: empty ident name not allowed`, then the whole repo aborted on `Lock file error - aborting`. Two root causes: - **No git identity** — the bot user had an email but no **Full Name** on its Gitea profile, so Renovate produced incomplete git authorship. - **No github.com auth** — Renovate could not look up versions of GitHub-hosted Actions (`actions/checkout`, etc.) or `containerbase/node-prebuild` (the Node binary it dynamically fetches for lockfile maintenance) — anonymous rate limit (60 req/h) hit. Fixes: 1. **`renovate.json`** — pin `gitAuthor` explicitly. The Full Name was also set on the bot's Gitea profile for UI consistency, but the override in config means we don't depend on out-of-band UI state. 2. **`.gitea/workflows/renovate.yml`** — pass `RENOVATE_GITHUB_COM_TOKEN` from the new `GITHUBCOM_TOKEN` repo secret (no underscore between GITHUB and COM — Gitea reserves the `GITHUB_*` namespace). 3. **`docs/development.md`** — onboarding procedure now covers both tokens + the Full Name step. ## Manual setup required after merge Already done in this iteration: - Bot's Full Name set in Gitea ("APF Portal Bot"). - `GITHUBCOM_TOKEN` repo secret created with a zero-scope github.com PAT. (If the PAT was leaked during setup, regenerate before merging — the workflow only references the secret name, not the value.) ## Test plan - [ ] After merge, trigger Renovate manually (Actions → Renovate → Run workflow). - [ ] No `empty ident name` warning in the logs. - [ ] No `Lock file error - aborting`; repo finishes with `INFO: Repository finished … "cloned": true`. - [ ] Renovate creates the dependency dashboard issue + the first batch of grouped PRs (Angular, Nx, NestJS, Prisma, …) signed by `apf-portal-bot`. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #13 |
||
|
|
399a14e0f4 |
fix(ci): run Renovate via official Docker image (#12)
## Summary
First Renovate run failed with `reference not found` on `renovatebot/github-action@v40` — act_runner's go-git clone couldn't resolve the major-rolling tag (whether the upstream tag is missing or it's a go-git tag-fetch quirk doesn't really matter — the wrapper action is the wrong layer to fight).
Switch to invoking the official `renovate/renovate:40` Docker image directly. The job container already has the host Docker socket mounted (per `ci-runners.compose.yml`), so the sibling `docker run` works out of the box. Renovate clones the target repo itself via API + token, so no `actions/checkout` or bind-mount is needed.
Net result:
- Decoupled from third-party action-tag resolution.
- Renovate runtime version explicitly pinned (reproducible).
- One fewer indirection to debug.
## Test plan
- [ ] After merge, trigger the workflow manually (Actions → Renovate → Run workflow).
- [ ] Job pulls `renovate/renovate:40` (~1 GB, one-time on this runner host) and runs without "reference not found".
- [ ] Renovate creates the onboarding PR ("Configure Renovate") visible in the repo's PR list, signed by `apf-portal-bot`.
---------
Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #12
|
||
|
|
82911f9319 |
chore(ci): set up Renovate dependency automation (#11)
## Summary
Wire up Renovate to keep dependencies fresh without manual triage.
- **Workflow** — `.gitea/workflows/renovate.yml`: cron daily at 03:00 UTC + `workflow_dispatch`, runs on the existing self-hosted runners. Picked 03:00 specifically so Monday's tick sits inside Renovate's default `lockFileMaintenance.schedule` ("before 4am Monday") and triggers the weekly lockfile refresh in passing.
- **Config** — `renovate.json`: `config:recommended` baseline + groupings (Angular, Nx, NestJS, Prisma, Vitest, TypeScript tooling, ESLint, SWC, Tailwind), Conventional-Commits commit messages, OSV.dev as vulnerability source, dependency dashboard issue.
- **Docs** — new §5 in `docs/development.md` covering the bot onboarding (manual, one-shot), how to trigger Renovate manually, how to review its PRs. The placeholder roadmap entry is dropped from §8.
No ADR — Renovate is operational tooling, not an architectural decision (and on Gitea it's the only viable bot anyway, no real alternative to capture).
## Manual setup required after merge
The workflow is wired but inert until the bot is onboarded once on Gitea:
1. Create a non-admin Gitea user `apf-portal-bot`.
2. Add the bot as a **Write** collaborator on this repo.
3. Sign in as the bot, generate a PAT (scopes: read/write `repository`, read/write `issue`, read `user`).
4. Add the PAT as the repo secret `RENOVATE_TOKEN` (Settings → Actions → Secrets).
Detailed steps in [`docs/development.md`](docs/development.md) → "Dependency updates (Renovate)".
## Test plan
- [ ] After bot onboarding, trigger the workflow manually (Repo → Actions → Renovate → Run workflow).
- [ ] First run creates the "Renovate Dependency Dashboard" issue and a batch of grouped PRs (Angular, Nx, …).
- [ ] Each generated PR has CI green (`check`, `scan`, `commits`, `perf`, `a11y`).
- [ ] Commit subject matches `chore(deps): …` / `fix(deps): …` so the `commits` gate doesn't reject.
---------
Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #11
|
||
|
|
f2440fbf24 |
fix(ci): disable broken pnpm cache on actions/setup-node (#8)
## Summary `act_runner`'s built-in GitHub-Actions-cache server binds inside the runner container on the compose-defined `apf-portal-act-runners` bridge. Jobs spawned via the mounted Docker socket land on Docker's default `bridge` network and can't reach it. Every job opting into `cache: 'pnpm'` ate ~2 min `ETIMEDOUT` on restore + another ~2 min on save — across the 5 jobs, ~20 min wasted per CI run for zero cache hits. Drop `cache: 'pnpm'` everywhere. `pnpm install --frozen-lockfile` is fast on the warm store inside the job container, so removing the cache layer is a net gain today. The proper fix (cross-container networking / fixed-port cache binding) is documented in `infra/README.md` → "Cache server (deferred)" so it can be picked up as an isolated infra spike later. ## Test plan - [ ] CI run on this PR: every job's `Set up Node.js` step finishes in seconds (no ETIMEDOUT warning). - [ ] `Complete job` step also finishes promptly (no `reserveCache failed` warning). - [ ] Total wall-clock time for the run should drop by ~15-20 min vs. previous runs. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #8 |
||
|
|
b7adf2e308 |
fix(ci): post-runner-image cleanup (#7)
## Summary Three follow-up fixes uncovered by the first end-to-end CI run on the self-hosted act_runner image (smoke-test PR). - **`check` job** — replace `nrwl/nx-set-shas@v4` (GitHub-API only, 404 on Gitea) with a manual shell step that derives `NX_BASE`/`NX_HEAD` from local git history (merge-base on `pull_request`, `HEAD~1` on `push`). - **`perf` job** — pin to `catthehacker/ubuntu:full-22.04` so Lighthouse CI finds a real Chrome. The default act image (`act-22.04`) is the minimal variant, ships without browsers. - **`package.json`** — declare `pnpm.onlyBuiltDependencies` to silence the "Ignored build scripts" warning and approve only the post-install hooks we actually rely on (Nx, Prisma, esbuild, swc, native watchers/resolvers). No ADR change — these are purely operational adjustments. ## Test plan - [ ] CI run on this PR: `check` and `perf` jobs both green. - [ ] No "Ignored build scripts" warning in `pnpm install` step output. - [ ] After merge, `push` event on `main` re-runs `check`, `scan`, `perf`, `a11y` cleanly (no `nx-set-shas` 404). --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #7 |
||
|
|
156e7ca2df |
chore: add PR template and document title/body convention
Formalise the PR-flow conventions while we install the PR-flow itself. .gitea/pull_request_template.md auto-populates the PR body in Gitea with five sections: Summary / Motivation / Implementation notes / Verification (with CI-gate checkboxes + ADR/diagram update flags) / Related. Sections can be left blank when irrelevant; the template guides without adding ceremony. Header HTML comment reminds the contributor of the PR title format and links to the full convention. docs/development.md §5 (Conventional commit cycle) gains a 'PR conventions' subsection that: - explains why the PR title format matters (squash-merge subject on main, validated by commitlint in the CI 'commits' job) - separates feature-branch commit hygiene (exploratory OK) from PR title hygiene (must conform) - documents the type vocabulary (feat/fix/docs/style/refactor/perf/ test/build/ci/chore/revert) - proposes an optional scope vocabulary (apps, libs, cross-cutting domains like decisions/docs/ci/deps) - describes the body template No new ADR. The PR title format is derived from ADR-0007 (Conventional Commits at the commit-msg layer) plus ADR-0015 (squash-merge means PR title becomes the commit subject on main). The body template is tactical guidance, not architectural. |
||
|
|
be7187d5f2 |
chore: scaffold Gitea Actions pipelines per ADR-0015 / ADR-0017
Wire the CI/CD pipeline scaffolding. Implements the level-2 (Gitea
Actions) part of ADR-0015 with the thin-YAML pattern, plus the perf
gate from ADR-0017. The level-1 decisions (gates list, branch model,
secrets policy) are unchanged.
Files:
- .nvmrc pins Node 24 (latest LTS major) for actions/setup-node.
- package.json gains four ci:* scripts that the workflows call:
- ci:check - 'nx affected -t format:check lint test build'
- ci:audit - 'pnpm audit --audit-level=moderate'
- ci:commits- 'commitlint --from $COMMIT_LINT_FROM --to HEAD'
- ci:perf - 'nx build portal-shell --configuration=production
&& lhci autorun --config=./lighthouserc.js'
All four runnable locally; CI workflows are thin wrappers.
- @lhci/cli added as a dev dependency for ci:perf.
- lighthouserc.js encodes the Core Web Vitals thresholds from
ADR-0017 (LCP <= 2500ms, CLS <= 0.1, TBT <= 200ms, server
response <= 800ms, Performance >= 0.9). v1 measures only the
static-served portal-shell bundle (Nx Welcome placeholder); the
critical-routes list expands as real screens land.
- .gitea/workflows/ci.yml runs five jobs on PR + push to main:
check, scan (audit + Trivy + gitleaks), commits (PR-only), perf,
a11y. The a11y job is a placeholder that no-ops with a clear
message; it wires up for real with the first Playwright e2e suite
(ADR-0016). All gates are blocking - branch protection on main
will require all five jobs green.
- .gitea/workflows/security-scheduled.yml runs weekly (Mon 04:00
UTC) for full-tree Trivy + gitleaks (no severity filter, no
skip-dirs - broader than per-PR) plus a Lighthouse run against
the prod URL when vars.LHCI_PROD_URL is set.
Slight deviation from ADR-0015 §'Level 2': Trivy and gitleaks are
binaries (Go) and don't have clean npm wrappers, so they are
invoked through their official Gitea-Actions-compatible actions
inside the YAML rather than via 'pnpm ci:scan'. The high-level
decision (gates: audit + secret-scan + dep-scan) is unchanged; the
script/action boundary is shifted by one tool. Documented here for
traceability; no ADR amendment needed.
Operational TODOs (not blocking the scaffold):
- pnpm audit currently reports 6 moderate transitive vulnerabilities
(ajv, brace-expansion, yaml, @hono/node-server, follow-redirects,
uuid) in deep deps of Nx/Angular plugins. CI will fail on this
gate until upstream updates land or Renovate bumps; expected and
documented.
- act_runner self-hosted instances are not yet registered against
the Gitea organisation; the workflows reference [self-hosted,
on-prem] runner labels per ADR-0015. CI will not actually execute
until the runners are up - that's an infra task.
- Branch protection rules on main (require all five jobs green) are
configured in Gitea UI, not in this commit.
- Lighthouse-prod scheduled job runs only when vars.LHCI_PROD_URL
is set - skipped silently otherwise. To be configured once a prod
environment exists.
|