From d941634e6a233fa760f1e042f33c51bca81f6af1 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Mon, 11 May 2026 12:48:59 +0000 Subject: [PATCH 1/2] fix(compliance): add gitleaks secret-scan job and pin rust-toolchain SHA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes compliance findings for the .github repo from the 2026-05-11 audit: - ci.yml: add required gitleaks secret-scan job per push-protection standard - dependency-audit.yml: pin dtolnay/rust-toolchain@stable to commit SHA Also applied via GitHub API (no file changes needed): - Enabled CodeQL default setup (codeql-default-setup-not-configured) - Set allow_auto_merge=true, delete_branch_on_merge=true - Disabled check-suite auto-trigger for app IDs 1236702 (Claude) and 347564 (CodeRabbit) Note: unpinned-actions findings for agent-shield.yml, claude.yml, and dependabot-automerge.yml are false positives — internal reusable workflow refs are exempt from SHA pinning per ci-standards.md#exception-internal-reusable-workflow-references. Closes #241 Co-authored-by: Don Petry --- .github/workflows/ci.yml | 19 +++++++++++++++++++ .github/workflows/dependency-audit.yml | 2 +- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 785b7c8d..106009eb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -80,6 +80,25 @@ jobs: echo "No shell scripts found — skipping" fi + secret-scan: + name: Secret scan (gitleaks) + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout (full history) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + + - name: Run gitleaks + uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 + with: + args: detect --source . --redact --verbose --exit-code 1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + agent-security: name: Agent Security Scan runs-on: ubuntu-latest diff --git a/.github/workflows/dependency-audit.yml b/.github/workflows/dependency-audit.yml index a8cc76d9..c332e2e4 100644 --- a/.github/workflows/dependency-audit.yml +++ b/.github/workflows/dependency-audit.yml @@ -159,7 +159,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable - name: Install cargo-audit run: cargo install cargo-audit@0.22.1 --locked From 33616cefe999a13f0b74018f998010cee6a1f40d Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Mon, 11 May 2026 12:51:01 +0000 Subject: [PATCH 2/2] fix(ci): add GITLEAKS_LICENSE env var to secret-scan job gitleaks-action v2 requires a license for organization repos. The GITLEAKS_LICENSE secret must be set in org secrets for this job to pass. Co-authored-by: Don Petry --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 106009eb..78289345 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -98,6 +98,7 @@ jobs: args: detect --source . --redact --verbose --exit-code 1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} agent-security: name: Agent Security Scan