forked from molecule-ai/molecule-core
6638d6e1d7
Adds a lint that diffs the canonical SECRET_PATTERNS array in
.github/workflows/secret-scan.yml against every known public
consumer mirror, failing on any divergence.
Why: every side that scans for credentials carries its own copy of
the pattern list. They drift — most recently the workspace-runtime
pre-commit hook lagged the canonical by one pattern (sk-cp- /
MiniMax F1088 vector), so a developer's local pre-commit would let
a sk-cp- token through while the org-wide CI scan would refuse it.
Useless friction; automated detection closes the gap.
Implementation:
.github/scripts/lint_secret_pattern_drift.py — pure stdlib, fetches
each consumer's RAW file via urllib, extracts the
SECRET_PATTERNS=( ... ) array via anchored regex (the closing
`)` is anchored to the start of a line because pattern comments
like `# GitHub PAT (classic)` contain their own paren mid-line),
diffs against canonical, fails on missing or extra patterns.
Fetch failures are warnings, not errors — a consumer whose
branch was renamed shouldn't fail the lint until someone updates
the URL list.
.github/workflows/secret-pattern-drift.yml — daily 05:00 UTC cron
+ on-push gate (when canonical, the workflow, or the script
changes) + workflow_dispatch. Read-only token, 5-minute timeout.
Initial consumer set: workspace-runtime's bundled pre-commit hook
(the one that drifted on sk-cp-). molecule-controlplane's inlined
copy is private so this workflow can't read it; that's tracked
separately and the controlplane's own self-monitor is the gap.
Verified locally: lint detects drift correctly when the runtime
hook is missing sk-cp-, returns clean when aligned.
Refs: task #139.
58 lines
2.0 KiB
YAML
58 lines
2.0 KiB
YAML
name: SECRET_PATTERNS drift lint
|
|
|
|
# Detects when the canonical SECRET_PATTERNS array in
|
|
# .github/workflows/secret-scan.yml diverges from known consumer
|
|
# mirrors (workspace-runtime's bundled pre-commit hook today; more
|
|
# can be added as the consumer set grows).
|
|
#
|
|
# Why this exists: every side that scans for credentials has its own
|
|
# copy of the pattern list. They drift — most recently the runtime
|
|
# hook lagged the canonical by one pattern (sk-cp- / MiniMax F1088),
|
|
# so a developer's local pre-commit would let a sk-cp- token through
|
|
# while the org-wide CI scan would refuse it. The cost of that drift
|
|
# is dev confusion + delayed feedback; the fix is automated detection.
|
|
#
|
|
# Triggers:
|
|
# - schedule: daily 05:00 UTC. Catches drift introduced by edits
|
|
# to a consumer copy that didn't update canonical here.
|
|
# - push to main/staging where the canonical or this lint changed:
|
|
# catches the inverse — canonical updated but consumers not yet
|
|
# bumped. The lint will fail the push; that's intentional, the
|
|
# person editing canonical is the right person to also update
|
|
# the consumer.
|
|
# - workflow_dispatch: ad-hoc operator runs.
|
|
|
|
on:
|
|
schedule:
|
|
# 05:00 UTC = 22:00 PT / 01:00 ET. Quiet hours so a failure
|
|
# email lands when humans are starting their day, not
|
|
# interrupting it.
|
|
- cron: "0 5 * * *"
|
|
push:
|
|
branches: [main, staging]
|
|
paths:
|
|
- ".github/workflows/secret-scan.yml"
|
|
- ".github/workflows/secret-pattern-drift.yml"
|
|
- ".github/scripts/lint_secret_pattern_drift.py"
|
|
workflow_dispatch:
|
|
|
|
# GITHUB_TOKEN scoped to read-only. The lint only does git checkout
|
|
# + HTTPS GETs to public consumer files; no writes to anything.
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
lint:
|
|
name: Detect SECRET_PATTERNS drift
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 5
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.11"
|
|
|
|
- name: Run drift lint
|
|
run: python3 .github/scripts/lint_secret_pattern_drift.py
|