ci: add gitleaks secret-scan job to ci.yml

[don-petry]

Summary

• Adds the required secret-scan job to ci.yml per the push-protection standard
• Uses gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 (v2.3.9), SHA-pinned per Action Pinning Policy
• fetch-depth: 0 to scan full git history; --redact to keep secrets out of logs; --exit-code 1 to fail the build on findings
• Adds .gitleaksignore with fingerprints for 7 confirmed false-positive findings in historical commit 865de69b (documentation paths containing "api-key" substring, not real credentials)

Why previous PRs did not close the issue

• PR ci: add gitleaks secret-scan job to ci.yml #107: used a direct binary install of gitleaks — the compliance audit regex requires uses: gitleaks/gitleaks-action@
• PR ci: add gitleaks secret-scan job (gitleaks-action v2.3.9) #119: switched to gitleaks-action but wasn't merged before the next compliance audit ran

Test plan

• CI secret-scan job passes (gitleaks finds no real secrets)
• .gitleaksignore suppresses the 7 known false positives from commit 865de69b
• Compliance audit check secret_scan_ci_job_present passes on next run

Closes #96

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 47 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 13 minutes and 47 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c3d28119-65b9-4e14-afd7-31146a77727d

📥 Commits

Reviewing files that changed from the base of the PR and between f9d9937 and 5468c52.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .gitleaksignore

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-96-20260419-1649

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

CI Status: Action Required

The secret-scan job fails because gitleaks-action v2 requires a GITLEAKS_LICENSE key for organization repos.

What's needed

Set the GITLEAKS_LICENSE secret at the org level (preferred, so all repos benefit) or at the repo level:

1. Get a free license at gitleaks.io — it's free for open-source/personal-use org repos
2. Add it as a GitHub secret named GITLEAKS_LICENSE:
   • Org level: Settings → Secrets and variables → Actions → New organization secret
   • Repo level: Settings → Secrets and variables → Actions → New repository secret

What this PR does

• Adds secret-scan job to ci.yml using gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 (v2.3.9, SHA-pinned)
• Adds .gitleaksignore with fingerprints for 7 confirmed false-positive findings in commit 865de69b
• The compliance audit check secret_scan_ci_job_present will pass once this PR is merged (it looks for the uses: gitleaks/gitleaks-action@ pattern in ci.yml)

Once GITLEAKS_LICENSE is configured, re-running the CI job will pass.

[Copilot]

Pull request overview

Adds a required CI secret-scanning job to bring the repository in line with the org push-protection standard and suppresses known historical false positives.

Changes:

• Added a new secret-scan job in CI using SHA-pinned gitleaks/gitleaks-action and full-history checkout.
• Added .gitleaksignore entries to suppress 7 reviewed false positives from a historical commit.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/ci.yml	Introduces the secret-scan job running gitleaks in CI (full history, fail on findings).
.gitleaksignore	Adds fingerprints to ignore known false-positive matches in historical content.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The inline doc reference ci-standards.md#action-pinning-policy is not resolvable within this repo (there is no ci-standards.md here). To avoid broken/ambiguous guidance, point this comment at the actual source (e.g., a full URL to petry-projects/.github/.../ci-standards.md#action-pinning-policy or a local doc path that exists).

Suggested change

	# Pinned to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).
	# Pinned to SHA per Action Pinning Policy
	# (https://github.com/petry-projects/.github/blob/main/ci-standards.md#action-pinning-policy).

[github-actions]

Auto-rebase blocked — the base branch contains .github/workflows/ changes that require the workflows permission to merge into this branch, but the auto-rebase workflow's token does not have that permission.

Please rebase this branch manually:

git fetch origin
git rebase origin/main
git push --force-with-lease