ci: add gitleaks secret scanning#82
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 98f1afbc6d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
This repository is under the getnodus organization (package.json points to github.com/getnodus/context and CODEOWNERS uses the @getnodus/engineering team), and gitleaks-action requires GITLEAKS_LICENSE for organization-owned repos. Because the workflow only passes GITHUB_TOKEN, every push/PR run in this org context will fail before performing the scan unless GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} is provided or a scanner without that requirement is used.
Useful? React with 👍 / 👎.
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - uses: gitleaks/gitleaks-action@v2 |
There was a problem hiding this comment.
This new workflow pins gitleaks/gitleaks-action@v2, whose action metadata uses Node 20; gitleaks-action's migration notes say Node 20 actions now need an insecure opt-out to keep running and will stop on GitHub-hosted runners later in 2026. Since this workflow runs on ubuntu-latest for every push/PR, it can become a failing CI job instead of a secret scan; update to gitleaks/gitleaks-action@v3 and the matching actions/checkout@v6 used elsewhere in the repo.
Useful? React with 👍 / 👎.
gitleaks/gitleaks-action@v2 requires a paid GITLEAKS_LICENSE for organization repositories and would fail in CI. Switch to the same curl-based gitleaks binary approach used by the other getnodus repos (leo, outreach, solo) so the "Scan for secrets" check actually runs and satisfies the branch ruleset. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3163e2d1b0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| sudo mv gitleaks /usr/local/bin/ | ||
|
|
||
| - name: Run Gitleaks | ||
| run: gitleaks detect --source . --log-opts="HEAD~50..HEAD" --redact --exit-code 1 |
There was a problem hiding this comment.
Gitleaks documents --log-opts as the options used for git log -p, so HEAD~50..HEAD only inspects the latest 50 commits on a linear push. When a new branch or force-push contains more than 50 new commits, a secret introduced and later removed before that cutoff is still present in the pushed history but this workflow will pass without reporting it; use the event's pushed range/base range or a full scan/baseline instead of a fixed tail.
Useful? React with 👍 / 👎.
1 participant
Adds Gitleaks secret scanning on every push and PR.