molecule-core

History

Hongming Wang 0ce537750c fix(ci): handle merge_group + shallow-clone BASE in secret-scan [Molecule-Platform-Evolvement-Manager] ## What was breaking Two distinct failure modes in `.github/workflows/secret-scan.yml`, both visible after PR #2115 / #2117 hit the merge queue: 1. `merge_group` events: the script reads `github.event.before / after` to determine BASE/HEAD. Those properties only exist on `push` events. On `merge_group` events both came back empty, the script fell through to "no BASE → scan entire tree" mode, and false-positived on `canvas/src/lib/validation/__tests__/secret-formats.test.ts` which contains a `ghp_xxxx…` literal as a masking-function fixture. (Run 24966890424 — exit 1, "matched: ghp_[A-Za-z0-9]{36,}".) 2. `push` events with shallow clone: `fetch-depth: 2` doesn't always cover BASE across true merge commits. When BASE is in the payload but absent from the local object DB, `git diff` errors out with `fatal: bad object <sha>` and the job exits 128. (Run 24966796278 — push at 20:53Z merging #2115.) ## Fixes - Add a dedicated fetch step for `merge_group.base_sha` (mirrors the existing pull_request base fetch) so the diff base is in the object DB before `git diff` runs. - Move event-specific SHAs into a step `env:` block so the script uses a clean `case` over `${{ github.event_name }}` instead of a single `if pull_request / else push` that left merge_group on the empty branch. - Add an on-demand fetch for the push-event BASE when it isn't in the shallow clone, plus a `git cat-file -e` guard before the diff so we fall through cleanly to the "scan entire tree" path if the fetch fails (correct, just slower) instead of exiting 128. ## Defense-in-depth `secret-formats.test.ts` had two literal continuous-string fixtures (`'ghp_xxxx…'`, `'github_pat_xxxx…'`). The ghp_ one matched the secret-scan regex. Switched both to the `'prefix_' + 'x'.repeat(N)` pattern already used elsewhere in the same file — runtime value is the same, but the literal source text no longer matches the regex even if the BASE detection ever falls back to tree-scan mode again. ## Test plan - [x] No remaining regex matches in the secret-formats.test.ts source - [x] YAML structure preserved - [ ] CI passes on this PR's pull_request scan (was already passing) - [ ] CI passes on this PR's merge_group scan (the new path) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-26 14:08:19 -07:00
..
workflows	fix(ci): handle merge_group + shallow-clone BASE in secret-scan	2026-04-26 14:08:19 -07:00
CODEOWNERS	chore: add CODEOWNERS to auto-route agent PRs to personal review account	2026-04-26 13:40:13 -07:00

Hongming Wang 0ce537750c fix(ci): handle merge_group + shallow-clone BASE in secret-scan

[Molecule-Platform-Evolvement-Manager]

## What was breaking

Two distinct failure modes in `.github/workflows/secret-scan.yml`,
both visible after PR #2115 / #2117 hit the merge queue:

1. **`merge_group` events**: the script reads `github.event.before /
   after` to determine BASE/HEAD. Those properties only exist on
   `push` events. On `merge_group` events both came back empty, the
   script fell through to "no BASE → scan entire tree" mode, and
   false-positived on `canvas/src/lib/validation/__tests__/secret-formats.test.ts`
   which contains a `ghp_xxxx…` literal as a masking-function fixture.
   (Run 24966890424 — exit 1, "matched: ghp_[A-Za-z0-9]{36,}".)

2. **`push` events with shallow clone**: `fetch-depth: 2` doesn't
   always cover BASE across true merge commits. When BASE is in the
   payload but absent from the local object DB, `git diff` errors
   out with `fatal: bad object <sha>` and the job exits 128.
   (Run 24966796278 — push at 20:53Z merging #2115.)

## Fixes

- Add a dedicated fetch step for `merge_group.base_sha` (mirrors
  the existing pull_request base fetch) so the diff base is in the
  object DB before `git diff` runs.
- Move event-specific SHAs into a step `env:` block so the script
  uses a clean `case` over `${{ github.event_name }}` instead of
  a single `if pull_request / else push` that left merge_group on
  the empty branch.
- Add an on-demand fetch for the push-event BASE when it isn't in
  the shallow clone, plus a `git cat-file -e` guard before the
  diff so we fall through cleanly to the "scan entire tree" path
  if the fetch fails (correct, just slower) instead of exiting 128.

## Defense-in-depth

`secret-formats.test.ts` had two literal continuous-string fixtures
(`'ghp_xxxx…'`, `'github_pat_xxxx…'`). The ghp_ one matched the
secret-scan regex. Switched both to the `'prefix_' + 'x'.repeat(N)`
pattern already used elsewhere in the same file — runtime value is
the same, but the literal source text no longer matches the regex
even if the BASE detection ever falls back to tree-scan mode again.

## Test plan

- [x] No remaining regex matches in the secret-formats.test.ts source
- [x] YAML structure preserved
- [ ] CI passes on this PR's pull_request scan (was already passing)
- [ ] CI passes on this PR's merge_group scan (the new path)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-26 14:08:19 -07:00

workflows

fix(ci): handle merge_group + shallow-clone BASE in secret-scan

2026-04-26 14:08:19 -07:00

CODEOWNERS

chore: add CODEOWNERS to auto-route agent PRs to personal review account

2026-04-26 13:40:13 -07:00