From d1466f307e70a285f3ffda731f71874bc7e870fc Mon Sep 17 00:00:00 2001
From: jakub <jakub@minimalx.com>
Date: Tue, 5 May 2026 12:59:20 +0100
Subject: [PATCH] chore: replace fingerprint-based gitleaks ignore with path
 allowlist

The previous .gitleaksignore entry pinned the dummy test private
key by commit fingerprint, which broke whenever history was
rewritten (squash merge of #7 invalidated 6f4c6ff -> 8a37048,
which is what triggered the post-merge failure on main).

Replace with a .gitleaks.toml that extends the default rules and
allowlists the path of the committed test fixture. This stays
correct across squash merges, rebases, and force-pushes because
it does not reference commit hashes.

.gitleaksignore is removed; .gitleaks.toml fully supersedes it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .gitleaks.toml  | 10 ++++++++++
 .gitleaksignore |  1 -
 2 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 .gitleaks.toml
 delete mode 100644 .gitleaksignore

diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..26993f9
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,10 @@
+title = "minimalx .github gitleaks config"
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Committed test fixtures that are intentionally non-secret"
+paths = [
+  '''actions/sign-firmware/tests/dummy_private_key\.pem''',
+]
diff --git a/.gitleaksignore b/.gitleaksignore
deleted file mode 100644
index bcea93a..0000000
--- a/.gitleaksignore
+++ /dev/null
@@ -1 +0,0 @@
-6f4c6ffaf316f20ecc539f8e437ea9ce629e5cda:actions/sign-firmware/tests/dummy_private_key.pem:private-key:1