Skip to content

chore(ci) move personal identity patterns to repo secret#109

Merged
jkeeley2073 merged 1 commit into
mainfrom
Dev-SanitizationPatternsToSecrets
May 8, 2026
Merged

chore(ci) move personal identity patterns to repo secret#109
jkeeley2073 merged 1 commit into
mainfrom
Dev-SanitizationPatternsToSecrets

Conversation

@jkeeley2073
Copy link
Copy Markdown
Contributor

@jkeeley2073 jkeeley2073 commented May 8, 2026

Summary

Move the two hardcoded personal-identity patterns (jim@earlybird and @earlybirdsolutions literals) out of the public .github/workflows/sanitization.yml and into a new PERSONAL_IDENTITY_PATTERN repo secret, mirroring the existing WORK_EMAIL_PATTERN precedent. Why: any future doc that describes the workflow's own ruleset would otherwise have to mask the literals — the @-masking remediation in PR #101 (DL-0004) was the original incident, and architectural follow-up #1 from the 2026-05-08 late-evening handoff queued this cleanup.

The inline ERE-validation + skip-when-unset block is extracted into a single run_secret_rule bash helper so PERSONAL_IDENTITY_PATTERN and WORK_EMAIL_PATTERN flow through one validated implementation rather than duplicating the ~25-line incantation across two callsites. The errexit / pipefail / || pattern_rc=$? interaction is subtle (one tested path is safer than two parallel copies). Behavior preserved end-to-end: warn-and-skip when the secret is unset, fail-with-clear-error on a malformed ERE, run the rule otherwise.

Operator step required pre- or at-merge

Set PERSONAL_IDENTITY_PATTERN in repo Settings → Secrets and variables → Actions, value the OR-ed ERE for the personal email + domain (e.g. name@host|@domain). Until set, the personal-identity scan emits a workflow warning rather than enforcing the rule. To minimise the unguarded window: set the secret immediately before merge, or as the first action after merge.

Test Plan

DL-0004 local-verification protocol against the new run_secret_rule helper (the rule must not be exercised on a remote branch — pushing trigger literals leaks via the ~90-day GitHub reflog). Behaviour-tested four cases against a stubbed run_rule:

Case Pattern input Expected Observed
1 empty (secret unset) ::warning emitted, fail unchanged ✅ matches
2 valid ERE name@host|@domain run_rule invoked ✅ matches
3 malformed ERE [unbalanced ::error emitted, fail=1 ✅ matches
4 valid ERE that matches no input run_rule invoked, no error ✅ matches

Additional checks:

  • python -c "import yaml; yaml.safe_load(open('.github/workflows/sanitization.yml'))" — YAML parses cleanly.
  • bash -n against the extracted run-block — no syntax errors.
  • Repo-wide grep for jim@earlybird and @earlybirdsolutions — zero matches anywhere (workflow file no longer contains them; no other file ever did).

Out of Scope

  • The workflow is not exercised against the actual real-world PERSONAL_IDENTITY_PATTERN value here — the value lives only in the repo secret per DL-0004. CI on this PR will run with the secret either set or unset; either is a valid post-merge state.
  • The literal JungleTech rule at L141 stays hardcoded — it's not personally-identifying and the prior-client-name guard is already documented inline.
  • No further refactor of the bash to use case-flag-as-parameter on run_secret_rule. Both current secret rules want -i; if a third secret-sourced rule lands that needs case-sensitivity, generalise then.

Checklist

  • CI is green (build + test + coverage + CodeQL + sanitization)
  • PR title follows the Conventional Commits format above
  • If this is a new architectural decision, an ADR has been added under docs/adr/ — N/A (small infra cleanup, not architectural)
  • If user-visible behavior changes, README.md and/or docs/ are updated in the same PR — N/A (CI-only change)
  • If a memory in ~/.claude/projects/c--projects-PinballWizard/memory/ is now stale, it has been updated or removed in the same PR — handled in next session-handoff entry
  • No TODO / FIXME / commented-out code committed
  • No new entries in <NoWarn> without a comment explaining why and the removal criterion — N/A

Pre-push self-audit (additive PRs)

Step 0 — /local-review (qualitative)

  • Ran /local-review and addressed every 🔴 finding before push
  • Local review outcome: 0 🔴 / 2 ⚠️ / 8 categories ✅. Both ⚠️ are operational, not code: (a) record DL-0004 verification in the PR body — done in the Test Plan above; (b) set PERSONAL_IDENTITY_PATTERN repo secret pre- or at-merge — called out in Summary.

Step 1 — Mechanical checklist

  • Every new *Options property has at least one real getter call in src/ — N/A (no *Options class added; two env vars added, both read at sanitization.yml L150 + L158)
  • Sibling-diffed against the closest existing implementation; drift is justified or removed — extracted helper preserves WORK_EMAIL_PATTERN behaviour; warn-message wording change from "Personal-email rules above continue to run regardless" to "Other rules continue to run regardless" is intentional (the message is now generic across both secret-sourced rules)
  • No bare catch { } — N/A (YAML/bash only)
  • New ISourceScraper? — N/A
  • Tests assert behavior, not just structure — DL-0004 verification protocol covers the four behaviour paths; see Test Plan above
  • Build is zero-warning — N/A (workflow YAML only, no compiled code touched)
  • git log -1 --format='%an <%ae>' shows personal noreply, not work email — Jim Keeley <94459922+jkeeley2073@users.noreply.github.com>

@jkeeley2073
chore(ci) move personal identity patterns to repo secret
f051510 
The two hardcoded personal-identity patterns in sanitization.yml
(jim@earlybird and @earlybirdsolutions literals) become a single
secret-sourced PERSONAL_IDENTITY_PATTERN rule, mirroring the
existing WORK_EMAIL_PATTERN precedent. Eliminates the recursive-trap
risk where any future doc that needs to reference the rule itself
would have to mask the literal — the @-masking remediation in PR #101
was the original incident, and follow-up #1 from the 2026-05-08
late-evening handoff queued this cleanup.

The inline ERE-validation + skip-when-unset block is extracted into
a single run_secret_rule helper so PERSONAL_IDENTITY_PATTERN and
WORK_EMAIL_PATTERN share one validated implementation rather than
duplicating the ~25-line bash incantation (errexit / pipefail /
|| pattern_rc=$? interaction is subtle — one tested path is safer
than two parallel ones). Behavior preserved: warn-and-skip when the
secret is unset, fail-with-clear-error on a malformed ERE, run the
rule otherwise.

Operator step required pre- or at-merge: set
PERSONAL_IDENTITY_PATTERN in repo Settings -> Secrets and variables
-> Actions, value the OR-ed ERE for the personal email + domain.
Until set, the personal-identity scan emits a workflow warning
rather than enforcing the rule, so the maintainer should set the
secret and the unguarded window stays minimal.
@jkeeley2073 jkeeley2073 merged commit b400d68 into main May 8, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jkeeley2073