Skip to content

chore: switch gitleaks to path allowlist (drop fingerprint ignore)#8

Merged
JakubMini merged 1 commit into
mainfrom
fix/gitleaks-ignore-after-squash
May 5, 2026
Merged

chore: switch gitleaks to path allowlist (drop fingerprint ignore)#8
JakubMini merged 1 commit into
mainfrom
fix/gitleaks-ignore-after-squash

Conversation

@JakubMini
Copy link
Copy Markdown
Contributor

@JakubMini JakubMini commented May 5, 2026
edited by coderabbitai Bot
Loading

Summary

  • Replace the brittle fingerprint-based `.gitleaksignore` entry with a path-based allowlist in a new `.gitleaks.toml`.
  • The fingerprint approach broke whenever history was rewritten — that's what failed the post-merge gitleaks run on main after PR feat: sign-firmware action (Ed25519, Phase 1) #7 was squash-merged (`6f4c6ff` no longer reachable, `8a37048` was the new commit).
  • The path allowlist stays correct across squash merges, rebases, and force-pushes because it does not reference commit hashes.

Files

  • New: `.gitleaks.toml` — extends default rules, allowlists `actions/sign-firmware/tests/dummy_private_key.pem`.
  • Removed: `.gitleaksignore` — superseded.

Test plan

  • gitleaks job on this PR passes (proves both TOML parses and allowlist works)
  • After merge, gitleaks workflow on main runs green

🤖 Generated with Claude Code

🐛 Bug Fixes

Fixed gitleaks configuration breaking after squash merges

@JakubMini @claude
chore: replace fingerprint-based gitleaks ignore with path allowlist
d1466f3 
The previous .gitleaksignore entry pinned the dummy test private
key by commit fingerprint, which broke whenever history was
rewritten (squash merge of #7 invalidated 6f4c6ff -> 8a37048,
which is what triggered the post-merge failure on main).

Replace with a .gitleaks.toml that extends the default rules and
allowlists the path of the committed test fixture. This stays
correct across squash merges, rebases, and force-pushes because
it does not reference commit hashes.

.gitleaksignore is removed; .gitleaks.toml fully supersedes it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@JakubMini JakubMini force-pushed the fix/gitleaks-ignore-after-squash branch from be430c1 to d1466f3 Compare May 5, 2026 12:01
@JakubMini JakubMini changed the title chore: update gitleaks fingerprint after PR #7 squash merge chore: switch gitleaks to path allowlist (drop fingerprint ignore) May 5, 2026
@JakubMini JakubMini merged commit 3c749e5 into main May 5, 2026
1 of 2 checks passed
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 5, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 667f11d9-d391-43ee-a570-4b895b515123

📥 Commits

Reviewing files that changed from the base of the PR and between 8a37048 and d1466f3.

📒 Files selected for processing (2)
  • .gitleaks.toml
  • .gitleaksignore

Disabled knowledge base sources:

  • Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

Walkthrough

This change replaces a .gitleaksignore entry with a .gitleaks.toml configuration. The new .gitleaks.toml enables Gitleaks’ default rules (extend.useDefault = true) and adds an allowlist entry for the committed test fixture at actions/sign-firmware/tests/dummy_private_key\.pem. The prior ignore line for that path was removed. The update centralizes secret-scan settings into a TOML configuration file consistent with typical tooling configuration practices and coding standards for explicit allowlisting.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/gitleaks-ignore-after-squash

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JakubMini