From 59113a8336e71448fd554daaf4d148a1ce819e43 Mon Sep 17 00:00:00 2001 From: devops-engineer Date: Mon, 18 May 2026 05:04:49 +0000 Subject: [PATCH] fix(ci): exclude secrets-detector test fixtures from secret-scan MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit internal#425 Phase-2a added workspace-server/internal/secrets/ patterns_test.go, whose synthetic credential-shaped fixtures (verified fabricated ghp_*, NOT real) are matched by the secret-scan's own ghp_ pattern. The scanner self-trips on the detector's test corpus, the push:main Secret scan goes red, and Production auto-deploy fail-closes — blocking the A2A-P0 promotion (#1450, already merged to main at 5324e690). This adds the fixture file to the same skip-list that already self-excludes secret-scan.yml's regex literals. No gate weakening: every other path is still fully scanned. Unblocks: A2A-P0 production rollout (#239). --- .gitea/workflows/secret-scan.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.gitea/workflows/secret-scan.yml b/.gitea/workflows/secret-scan.yml index 6f1583f4e..74d6e812f 100644 --- a/.gitea/workflows/secret-scan.yml +++ b/.gitea/workflows/secret-scan.yml @@ -133,6 +133,14 @@ jobs: [ -z "$f" ] && continue [ "$f" = "$SELF_GITHUB" ] && continue [ "$f" = "$SELF_GITEA" ] && continue + # Test-fixture exclude (internal#425): the secrets-detector's OWN + # unit-test corpus deliberately embeds credential-SHAPED example + # strings to exercise the detector. Verified 2026-05-18 synthetic + # (fabricated ghp_* fixtures, not real). Without this the scanner + # self-trips on its own fixtures and fail-closes every deploy. + # Same rationale as the SELF_* excludes above; gate NOT weakened + # (all other paths still fully scanned). + [ "$f" = "workspace-server/internal/secrets/patterns_test.go" ] && continue if [ -n "$DIFF_RANGE" ]; then ADDED=$(git diff --no-color --unified=0 "$BASE" "$HEAD" -- "$f" 2>/dev/null | grep -E '^\+[^+]' || true) else -- 2.52.0