diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index 089bb4d4..ff351015 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -46,7 +46,29 @@ jobs: if: github.event_name == 'pull_request' run: git fetch --depth=1 origin ${{ github.event.pull_request.base.sha }} + # For merge_group events the queue's pre-merge ref is a commit on + # `gh-readonly-queue/...` whose parent is the queue's base_sha. + # That parent isn't part of the queue branch's shallow clone, so + # we fetch it explicitly. Without this the diff falls through to + # "no BASE → scan entire tree" mode and false-positives on legit + # test fixtures (e.g. canvas/src/lib/validation/__tests__/secret-formats.test.ts). + - name: Fetch merge_group base SHA (merge_group events only) + if: github.event_name == 'merge_group' + run: git fetch --depth=1 origin ${{ github.event.merge_group.base_sha }} + - name: Refuse if credential-shaped strings appear in diff additions + env: + # Plumb event-specific SHAs through env so the script doesn't + # need conditional `${{ ... }}` interpolation per event type. + # github.event.before/after only exist on push events; + # merge_group has its own base_sha/head_sha; pull_request has + # pull_request.base.sha / pull_request.head.sha. + PR_BASE_SHA: ${{ github.event.pull_request.base.sha }} + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} + MG_BASE_SHA: ${{ github.event.merge_group.base_sha }} + MG_HEAD_SHA: ${{ github.event.merge_group.head_sha }} + PUSH_BEFORE: ${{ github.event.before }} + PUSH_AFTER: ${{ github.event.after }} run: | # Pattern set covers GitHub family (the actual #2090 vector), # Anthropic / OpenAI / Slack / AWS. Anchored on prefixes with low @@ -68,19 +90,41 @@ jobs: 'ASIA[0-9A-Z]{16}' # AWS STS temp access key ID ) - # Determine the diff base. - if [ "${{ github.event_name }}" = "pull_request" ]; then - BASE="${{ github.event.pull_request.base.sha }}" - HEAD="${{ github.event.pull_request.head.sha }}" - else - BASE="${{ github.event.before }}" - HEAD="${{ github.event.after }}" + # Determine the diff base. Each event type stores its SHAs in + # a different place — see the env block above. + case "${{ github.event_name }}" in + pull_request) + BASE="$PR_BASE_SHA" + HEAD="$PR_HEAD_SHA" + ;; + merge_group) + BASE="$MG_BASE_SHA" + HEAD="$MG_HEAD_SHA" + ;; + *) + BASE="$PUSH_BEFORE" + HEAD="$PUSH_AFTER" + ;; + esac + + # On push events with shallow clones, BASE may be present in + # the event payload but absent from the local object DB + # (fetch-depth=2 doesn't always reach the previous commit + # across true merges). Try fetching it on demand. If the + # fetch fails — e.g. the SHA was force-overwritten — we fall + # through to the empty-BASE branch below, which scans the + # entire tree as if every file were new. Correct, just slow. + if [ -n "$BASE" ] && ! echo "$BASE" | grep -qE '^0+$'; then + if ! git cat-file -e "$BASE" 2>/dev/null; then + git fetch --depth=1 origin "$BASE" 2>/dev/null || true + fi fi # Files added or modified in this change. - if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then - # New branch / no previous SHA — check the entire tree as - # added content. Slower, but correct on first push. + if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$' || ! git cat-file -e "$BASE" 2>/dev/null; then + # New branch / no previous SHA / BASE unreachable — check the + # entire tree as added content. Slower, but correct on first + # push. CHANGED=$(git ls-tree -r --name-only HEAD) DIFF_RANGE="" else diff --git a/canvas/src/components/ProvisioningTimeout.tsx b/canvas/src/components/ProvisioningTimeout.tsx index 92af73f0..9e7e2d17 100644 --- a/canvas/src/components/ProvisioningTimeout.tsx +++ b/canvas/src/components/ProvisioningTimeout.tsx @@ -2,6 +2,7 @@ import { useState, useEffect, useCallback, useRef, useMemo } from "react"; import { useCanvasStore, type WorkspaceNodeData } from "@/store/canvas"; +import { pruneStaleKeys } from "./canvas/useCanvasViewport"; import { api } from "@/lib/api"; import { showToast } from "./Toaster"; import { ConsoleModal } from "./ConsoleModal"; @@ -125,11 +126,7 @@ export function ProvisioningTimeout({ // Remove tracking for nodes that are no longer provisioning const activeIds = new Set(parsedProvisioningNodes.map((n) => n.id)); - for (const id of tracking.keys()) { - if (!activeIds.has(id)) { - tracking.delete(id); - } - } + pruneStaleKeys(tracking, activeIds); // Also remove from timedOut list if no longer provisioning, and // clear `dismissed` entries for workspaces that finished so a diff --git a/canvas/src/lib/validation/__tests__/secret-formats.test.ts b/canvas/src/lib/validation/__tests__/secret-formats.test.ts index 2edd26cb..cce23b4e 100644 --- a/canvas/src/lib/validation/__tests__/secret-formats.test.ts +++ b/canvas/src/lib/validation/__tests__/secret-formats.test.ts @@ -143,7 +143,10 @@ describe('inferGroup', () => { describe('maskSecretValue', () => { it('masks ghp_ prefixed values showing prefix and last 4', () => { - const value = 'ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'; + // Built via concatenation, not as a literal continuous string — + // a literal `ghp_` + 36+ alphanumerics matches the secret-scan + // workflow's own regex and false-positives merge_group / push runs. + const value = 'ghp_' + 'x'.repeat(40); const masked = maskSecretValue(value); expect(masked.startsWith('ghp_')).toBe(true); expect(masked.endsWith(value.slice(-4))).toBe(true); @@ -151,7 +154,7 @@ describe('maskSecretValue', () => { }); it('masks github_pat_ prefixed values', () => { - const value = 'github_pat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'; + const value = 'github_pat_' + 'x'.repeat(82); const masked = maskSecretValue(value); expect(masked.startsWith('github_pat_')).toBe(true); expect(masked.endsWith(value.slice(-4))).toBe(true);