fix(ci): add gitleaks secret-scan job to satisfy compliance check

[don-petry]

Summary

• Adds the required secret-scan job to .github/workflows/ci.yml per the push-protection standard
• The job runs gitleaks in full-history mode (fetch-depth: 0) on every PR and push to main, with --redact so secrets never appear in CI logs
• Both actions are SHA-pinned per the Action Pinning Policy in ci-standards.md

Test plan

• CI passes (lint, shellcheck, agent-security, secret-scan all green)
• secret-scan job appears in the workflow run and completes successfully
• Compliance audit secret_scan_ci_job_present check resolves on next run

Closes #118

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 38 minutes and 36 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e7956eaf-1c83-425b-b153-6d7d2f92c720

📥 Commits

Reviewing files that changed from the base of the PR and between 9a72202 and 1784ace.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-118-20260508-1733

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@petry-projects/org-leads — this PR is ready for review.

Summary: Adds the missing secret-scan job to ci.yml to resolve the secret_scan_ci_job_present compliance finding (issue #118). The job runs gitleaks in full-history mode on every PR and push to main, with SHAs pinned per the Action Pinning Policy.

CI status: All jobs passing (Lint ✅ ShellCheck ✅ AgentShield ✅ Agent Security Scan ✅ Secret scan (gitleaks) ✅).

[Copilot]

Pull request overview

Adds the required secret-scan CI job to bring this repository into compliance with the push-protection standard (secret_scan_ci_job_present) by running a full-history gitleaks scan on PRs and pushes to main.

Changes:

• Adds a new secret-scan job to .github/workflows/ci.yml.
• Checks out the repository with fetch-depth: 0 to enable full-history scanning.
• Runs gitleaks detect with --redact and --exit-code 1 to fail CI on findings without leaking secrets into logs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Auto-rebase blocked — the base branch contains .github/workflows/ changes that require the workflows permission to merge into this branch, but the auto-rebase workflow's token does not have that permission.

Please rebase this branch manually:

git fetch origin
git rebase origin/main
git push --force-with-lease

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[donpetry-bot]

Superseded by automated re-review at 95f7f3ecf43b7aa598470c4fee66c35cffeb5f79 — click to expand prior review.

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase: Unable to resolve conflict automatically

The auto-rebase agent was unable to rebase this branch onto main. Manual intervention is required.

Conflict details

File: .github/workflows/ci.yml

Why this cannot be auto-resolved:

This PR adds a secret-scan job to ci.yml using gitleaks/gitleaks-action@v2.3.9 (with a GITLEAKS_LICENSE secret). However, commit 6f46503a on main already added a secret-scan job to the same file using a binary-install approach (direct wget of gitleaks binary, no license required).

These are two fundamentally different implementations of the same feature — not a simple action-pin version difference. Choosing one side automatically would either:

• Duplicate or overwrite the existing working secret-scan job on main, or
• Replace the binary-install approach (which works without a license) with the action-based approach (which requires a paid GITLEAKS_LICENSE for org repos)

This decision requires human judgment.

Context

• main has had a working secret-scan job since 6f46503a (binary-install, no license needed)
• This PR's secret-scan job uses gitleaks/gitleaks-action (requires GITLEAKS_LICENSE — added in b4db896)
• The binary-install approach on main was chosen specifically to avoid the license requirement
• The PR's goal (adding secret-scan to satisfy compliance) is already achieved on main

Recommended resolution

Since main already contains a complete secret-scan job that satisfies the compliance requirement (secret_scan_ci_job_present), this PR's changes may be fully superseded. Consider:

1. Closing this PR — the compliance fix has already landed on main via 6f46503a
2. Or rebasing manually if there is additional value in the PR's commits

Manual rebase steps (if needed)

git fetch origin
git checkout claude/issue-118-20260508-1733
git rebase origin/main
# Conflict will occur in .github/workflows/ci.yml
# Decide: keep main's binary-install approach (git checkout --ours) or
# replace with the action-based approach (git checkout --theirs)
# Then:
git add .github/workflows/ci.yml
git rebase --continue
git push --force-with-lease

Auto-rebase agent — unable to resolve: non-action-pin conflict in .github/workflows/ci.yml

[don-petry]

Auto-rebase: conflict cannot be resolved automatically

The auto-rebase workflow attempted to rebase `claude/issue-118-20260508-1733` onto `main` but encountered a conflict that requires human judgement to resolve.

Conflict

File: `.github/workflows/ci.yml`

Nature of conflict: Both branches have incompatible implementations of the `secret-scan` job — this is not a simple action-pin difference that can be resolved automatically.

	Implementation
PR branch	`gitleaks/gitleaks-action@ff98106` (GitHub Action, requires `GITLEAKS_LICENSE` secret)
`main` (commit `761dd4a`)	Direct binary install of `gitleaks` v8.30.1 (checksum-verified, no license required)

Note

`main` already contains a `secret-scan` job that satisfies the compliance requirement this PR was addressing (closes #118). The `main` version is the more recent and preferred implementation (no license key dependency, checksum-pinned binary).

Consider closing this PR as superseded — the gitleaks secret-scan job already exists on `main` in a better form.

If you want to proceed with rebasing instead, use the steps below.

Manual resolution steps

git fetch origin
git checkout claude/issue-118-20260508-1733
git rebase origin/main
# Conflict will occur in .github/workflows/ci.yml
# Resolution options:
#   a) Accept main's version (recommended — main already has the better secret-scan job):
git checkout --ours -- .github/workflows/ci.yml
git add .github/workflows/ci.yml
git rebase --continue
#   b) Or manually edit .github/workflows/ci.yml to reconcile both implementations
git push --force-with-lease

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase status — PR #219

Git write operations could not be executed in this Claude session due to permission restrictions (git fetch, git rebase, git push all require approval). However, the PR branch has already been rebased onto the current main tip by a previous operation.

Current state (verified via API)

Item	Value
Base branch (main)	b583cc370316736820b8fe70a0e6c54f7c89ff4b
PR head after rebase	2672011a8c3de8f0f3cf873dd70dd63d68f64ee9
Mergeable	✅ MERGEABLE

Conflict that was resolved

File: .github/workflows/ci.yml

Both the PR branch (commit 93528c5) and the main branch independently added a secret-scan job with different implementations:

• main: Manual binary download of gitleaks v8.30.1 with checksum verification
• PR: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 with GITLEAKS_LICENSE and security-events: write

The rebase resolved this by replaying the PR's commits on top of the new base, replacing the manual binary approach with the gitleaks-action approach the PR intended.

Manual steps (if rebase needs to be re-done)

git fetch origin
git rebase origin/main
# resolve conflict in .github/workflows/ci.yml
# keep the gitleaks-action approach or choose based on team preference
git add .github/workflows/ci.yml
git rebase --continue
git push --force-with-lease

[don-petry]

@dev-lead - please fix this PR

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push