name: SECRET_PATTERNS drift lint # Detects when the canonical SECRET_PATTERNS array in # .github/workflows/secret-scan.yml diverges from known consumer # mirrors (workspace-runtime's bundled pre-commit hook today; more # can be added as the consumer set grows). # # Why this exists: every side that scans for credentials has its own # copy of the pattern list. They drift — most recently the runtime # hook lagged the canonical by one pattern (sk-cp- / MiniMax F1088), # so a developer's local pre-commit would let a sk-cp- token through # while the org-wide CI scan would refuse it. The cost of that drift # is dev confusion + delayed feedback; the fix is automated detection. # # Triggers: # - schedule: daily 05:00 UTC. Catches drift introduced by edits # to a consumer copy that didn't update canonical here. # - push to main/staging where the canonical or this lint changed: # catches the inverse — canonical updated but consumers not yet # bumped. The lint will fail the push; that's intentional, the # person editing canonical is the right person to also update # the consumer. # - workflow_dispatch: ad-hoc operator runs. on: schedule: # 05:00 UTC = 22:00 PT / 01:00 ET. Quiet hours so a failure # email lands when humans are starting their day, not # interrupting it. - cron: "0 5 * * *" push: branches: [main, staging] paths: - ".github/workflows/secret-scan.yml" - ".github/workflows/secret-pattern-drift.yml" - ".github/scripts/lint_secret_pattern_drift.py" - ".githooks/pre-commit" workflow_dispatch: # GITHUB_TOKEN scoped to read-only. The lint only does git checkout # + HTTPS GETs to public consumer files; no writes to anything. permissions: contents: read jobs: lint: name: Detect SECRET_PATTERNS drift runs-on: ubuntu-latest timeout-minutes: 5 steps: - uses: actions/checkout@v6 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.11" - name: Run drift lint run: python3 .github/scripts/lint_secret_pattern_drift.py