Skip to content

ci: add secret scanning workflow#6

Merged
albiol2004 merged 2 commits into
albiol2004:mainfrom
AtilaVG:mimir-secret-scan-ci
Jun 1, 2026
Merged

ci: add secret scanning workflow#6
albiol2004 merged 2 commits into
albiol2004:mainfrom
AtilaVG:mimir-secret-scan-ci

Conversation

@AtilaVG

@AtilaVG AtilaVG commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

What does this PR do

This PR adds a dedicated secret scanning workflow using Gitleaks.

It also keeps the redaction tests free from complete token-shaped literals, so secret scanners do not flag fake test fixtures as leaked credentials.

Why

Athen handles provider keys, GitHub identities, Telegram settings, email credentials, web-search keys, and other sensitive configuration.

Adding a lightweight secret scanning check helps catch accidentally committed credentials early, before they reach main.

Changes

  • Add .github/workflows/secret-scan.yml.
  • Run Gitleaks on pushes and pull requests targeting main.
  • Use read-only repository permissions.
  • Keep checkout history available with fetch-depth: 0.
  • Adjust redaction test fixtures so they build token-like strings at runtime instead of storing complete fake token-shaped literals.

Scope

  • No runtime behavior changed.
  • No application code path changed.
  • No redaction behavior changed.
  • CI-only hardening plus test fixture cleanup.

Notes

This PR intentionally does not add a custom allowlist yet. If Gitleaks reports legitimate false positives, they should be reviewed individually and allowlisted narrowly rather than broadly disabling rules.

@albiol2004 albiol2004 merged commit 9cf14ef into albiol2004:main Jun 1, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AtilaVG @albiol2004