molecule-ai/molecule-ai-workspace-template-hermes
39
0
Fork 0
Code Issues 1 Pull Requests 4 Actions Packages Projects Releases Wiki Activity

ci(contract): add canonical secret-scan for claude-code parity (RFC internal#476 P1) #25

Merged
devops-engineer merged 2 commits from rfc476-p1-add-secret-scan into main 2026-05-17 00:18:11 +00:00
Conversation 0 Commits 2 Files Changed 1 +196
core-devops commented 2026-05-16 19:14:42 +00:00
Member
Copy Link

RFC internal#476 finding #2. hermes already runs the inline canonical workspace-template validator but had NO secret-scan.yml while claude-code does (U2 universal secret-handling gate non-uniform). Adds the byte-identical canonical secret-scan.yml. Post-merge BP adds 'Secret scan / Scan diff for credential-shaped strings (pull_request)'.

Non-author review + devops-engineer merge. Additive.

RFC internal#476 finding #2. hermes already runs the inline canonical workspace-template validator but had NO secret-scan.yml while claude-code does (U2 universal secret-handling gate non-uniform). Adds the byte-identical canonical secret-scan.yml. Post-merge BP adds 'Secret scan / Scan diff for credential-shaped strings (pull_request)'. Non-author review + devops-engineer merge. Additive.
core-devops added 1 commit 2026-05-16 19:14:49 +00:00
ci: add canonical secret-scan gate for claude-code parity (RFC internal#476 P1)
Some checks are pending
CI / Template validation (static) (push) Waiting to run
Details
CI / Template validation (runtime) (push) Blocked by required conditions
Details
CI / validate (push) Blocked by required conditions
Details
CI / Shell unit tests (push) Waiting to run
Details
CI / Template validation (static) (pull_request) Waiting to run
Details
CI / Template validation (runtime) (pull_request) Blocked by required conditions
Details
CI / validate (pull_request) Blocked by required conditions
Details
CI / Shell unit tests (pull_request) Waiting to run
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Waiting to run
Details
2a61496895 
hermes already runs the inline canonical workspace-template validator
(.gitea/workflows/ci.yml: validate-static/runtime/aggregate) but had NO
secret-scan.yml while claude-code does (RFC internal#476 finding #2: U2
universal secret-handling gate non-uniform). Adds the byte-identical
canonical secret-scan.yml so hermes reaches claude-code U2 parity.
Required context 'Secret scan / Scan diff for credential-shaped strings
(pull_request)' added to BP post-merge.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
core-qa approved these changes 2026-05-16 19:22:51 +00:00
core-qa left a comment
Member
Copy Link

Reviewed as non-author (core-qa). hermes already ran the inline canonical workspace-template validator; this PR adds ONLY the byte-identical canonical secret-scan.yml (U2 parity with claude-code, RFC internal#476 finding #2). Verified secret-scan.yml YAML parses + Secret scan job is the canonical regex set; all hermes CI contexts SUCCESS on push (validation + shell tests + publish-image). Additive, no existing gate touched. APPROVE.

Reviewed as non-author (core-qa). hermes already ran the inline canonical workspace-template validator; this PR adds ONLY the byte-identical canonical secret-scan.yml (U2 parity with claude-code, RFC internal#476 finding #2). Verified secret-scan.yml YAML parses + Secret scan job is the canonical regex set; all hermes CI contexts SUCCESS on push (validation + shell tests + publish-image). Additive, no existing gate touched. APPROVE.
core-devops added 1 commit 2026-05-16 19:25:53 +00:00
ci: trigger pull_request-event workflow run (Gitea 1.22.6 synchronize)
All checks were successful
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 16s
Details
CI / Template validation (static) (pull_request) Successful in 1m46s
Details
CI / Shell unit tests (pull_request) Successful in 1m47s
Details
CI / Template validation (static) (push) Successful in 2m0s
Details
CI / Shell unit tests (push) Successful in 1m54s
Details
CI / Template validation (runtime) (push) Successful in 17m25s
Details
CI / Template validation (runtime) (pull_request) Successful in 17m47s
Details
CI / validate (push) Successful in 1s
Details
CI / validate (pull_request) Successful in 2s
Details
7334eb3e5e 
The branch-push fired only the (push) workflow; BP requires the
(pull_request) context. Empty commit -> PR synchronize -> pull_request run.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
devops-engineer merged commit aca93f132a into main 2026-05-17 00:18:11 +00:00
devops-engineer deleted branch rfc476-p1-add-secret-scan 2026-05-17 00:18:11 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
core-qa
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-ai-workspace-template-hermes#25
No description provided.
Delete Branch "rfc476-p1-add-secret-scan"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?