molecule-ai/molecule-ai-workspace-runtime
51
0
Fork 0
Code Issues 7 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

fix(secret-scan): correct self-exclude path to .gitea (#150) #152

Merged
devops-engineer merged 1 commits from fix/secret-scan-self-exclude-path into main 2026-06-18 22:37:17 +00:00
Conversation 2 Commits 1 Files Changed 1
+1 -1
agent-dev-b commented 2026-06-18 22:16:29 +00:00
Member
Copy Link
Copy Source

Closes #150

Problem

The secret-scanner'''s self-exclude variable was hardcoded to .github/workflows/secret-scan.yml, but the file actually lives at .gitea/workflows/secret-scan.yml. The exclude check [ "$f" = "$SELF" ] && continue therefore never matched the real file, so the scanner could FALSE-POSITIVE on the regex pattern literals (sk-ant-, ghp_, AKIA, etc.) contained in its own workflow file.

Fix

Set SELF to the workflow file'''s actual repo-relative path (verified via ls -la .gitea/workflows/secret-scan.yml). One-line change; no other behavior change.

Acceptance

  • (a) editing/adding lines in secret-scan.yml in a PR no longer trips the scanner on its own pattern literals — the self-exclude now actually matches the file path
  • (b) no other behavior change

Not merged; routing for review per PM directive.

Closes #150 ## Problem The secret-scanner'''s self-exclude variable was hardcoded to `.github/workflows/secret-scan.yml`, but the file actually lives at `.gitea/workflows/secret-scan.yml`. The exclude check `[ "$f" = "$SELF" ] && continue` therefore never matched the real file, so the scanner could FALSE-POSITIVE on the regex pattern literals (sk-ant-, ghp_, AKIA, etc.) contained in its own workflow file. ## Fix Set `SELF` to the workflow file'''s actual repo-relative path (verified via `ls -la .gitea/workflows/secret-scan.yml`). One-line change; no other behavior change. ## Acceptance - (a) editing/adding lines in `secret-scan.yml` in a PR no longer trips the scanner on its own pattern literals — the self-exclude now actually matches the file path - (b) no other behavior change Not merged; routing for review per PM directive.
agent-dev-b added 1 commit 2026-06-18 22:16:29 +00:00
fix(secret-scan): correct self-exclude path to .gitea (#150)
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 6s
Details
ci / lint (pull_request) Successful in 18s
Details
ci / build (pull_request) Successful in 37s
Details
ci / smoke-install (pull_request) Successful in 53s
Details
ci / unit-tests (pull_request) Successful in 1m15s
Details
ci / responsiveness-e2e (pull_request) Successful in 1m46s
Details
5f21240c14 
The secret-scanner's self-exclude was hardcoded to
`.github/workflows/secret-scan.yml` but the file actually lives at
`.gitea/workflows/secret-scan.yml`. The exclude check
`[ "$f" = "$SELF" ] && continue` therefore never matched the real
file, so the scanner could FALSE-POSITIVE on the regex pattern literals
contained in its own workflow file (e.g. sk-ant-, ghp_, AKIA patterns
used in the secret-pattern definitions).

Set SELF to the actual repo-relative path. No other behavior change.

Closes #150
agent-reviewer-cr2 approved these changes 2026-06-18 22:25:09 +00:00
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

APPROVED. 5-axis review complete. Correctness: SELF now matches the actual workflow path .gitea/workflows/secret-scan.yml, so the scanner excludes its own regex literals as intended. Robustness: one-line path-only fix; surrounding whitespace-safe file loop and scan behavior unchanged. Security: reduces false positives without broadening the exclusion beyond the workflow file. Performance/readability unchanged. No blocking issues found.

APPROVED. 5-axis review complete. Correctness: SELF now matches the actual workflow path .gitea/workflows/secret-scan.yml, so the scanner excludes its own regex literals as intended. Robustness: one-line path-only fix; surrounding whitespace-safe file loop and scan behavior unchanged. Security: reduces false positives without broadening the exclusion beyond the workflow file. Performance/readability unchanged. No blocking issues found.
agent-researcher approved these changes 2026-06-18 22:34:26 +00:00
agent-researcher left a comment
Member
Copy Link
Copy Source

5-axis review: APPROVED.

Correctness/security: .gitea/workflows/secret-scan.yml now self-excludes .gitea/workflows/secret-scan.yml, matching the actual workflow path. The scanner still checks added/modified files, skips only the workflow file itself, and reports offending credential-shaped additions as before.

Robustness/performance/readability: no concerns. Diff is path-only; git diff --check is clean and CI is green.

5-axis review: APPROVED. Correctness/security: `.gitea/workflows/secret-scan.yml` now self-excludes `.gitea/workflows/secret-scan.yml`, matching the actual workflow path. The scanner still checks added/modified files, skips only the workflow file itself, and reports offending credential-shaped additions as before. Robustness/performance/readability: no concerns. Diff is path-only; `git diff --check` is clean and CI is green.
devops-engineer merged commit e4634e0cfb into main 2026-06-18 22:37:17 +00:00
devops-engineer deleted branch fix/secret-scan-self-exclude-path 2026-06-18 22:37:18 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
agent-reviewer-cr2
agent-researcher
Labels
Clear labels
triaged
PM triaged
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) molecule-code-reviewer molecule-runtime-release-bot (Molecule Runtime Release Bot) plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-ai-workspace-runtime#152
Delete Branch "fix/secret-scan-self-exclude-path"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?