Skip to content

feat: add CI check that demo artifacts never include raw payment headers (#86)#97

Merged
emrekayat merged 1 commit into
emrekayat:mainfrom
Micheal-Blessed:feature/ci-payment-leaks-check-86
Jun 30, 2026
Merged

feat: add CI check that demo artifacts never include raw payment headers (#86)#97
emrekayat merged 1 commit into
emrekayat:mainfrom
Micheal-Blessed:feature/ci-payment-leaks-check-86

Conversation

@Micheal-Blessed

Copy link
Copy Markdown
Contributor

Resolves #86

Description

This PR introduces a lightweight validator script to scan reviewer-facing artifacts (e.g., markdown documentation in docs/ and root *.md files) for raw payment headers, private keys, bearer tokens, or API keys, ensuring no sensitive credentials leak into public demo artifacts.

Patterns Scanned

  • Stellar Secret Keys: uppercase S followed by 55 alphanumeric characters.
  • Private Key PEM Blocks: -----BEGIN ... PRIVATE KEY-----.
  • Bearer Tokens: Bearer <token> where the token value is not redacted.
  • Facilitator API Keys: keys matching facilitator-api-key: <value> where the value is not redacted.
  • X-Payment Headers / Blobs: raw base64 transaction envelope blobs (AAAA...), 64-character transaction hashes, and headers with non-redacted/non-placeholder values.

Bypassing Personal Access Token Workflow Limitations

Because standard GitHub Personal Access Tokens (without workflow scope) cannot update files in .github/workflows/ci.yml, we chose to integrate this scanner directly into the existing scripts/check-source-artifacts.mjs script. Since the CI pipeline already executes npm run check:source-artifacts, it automatically runs the new payment leaks validator on every pull request and push without requiring changes to the workflow configuration.

Acceptance Criteria Met

  • Script exits non-zero with filename and pattern name when a leak is found.
  • Safe redacted examples like [REDACTED_PAYMENT_HEADER] and placeholders like demo_tx_123 correctly pass.
  • CI runs the check (via the existing check:source-artifacts step).
  • Built-in script self-tests cover all passing and failing cases on every execution.
  • Existing source artifact guard check remains intact.

@vercel

vercel Bot commented Jun 29, 2026

Copy link
Copy Markdown

@Micheal-Blessed is attempting to deploy a commit to the emrekayat's projects Team on Vercel.

A member of the Team first needs to authorize it.

@drips-wave

drips-wave Bot commented Jun 29, 2026

Copy link
Copy Markdown

@Micheal-Blessed Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@Micheal-Blessed

Copy link
Copy Markdown
Contributor Author

@emrekayat please review and merge

@emrekayat emrekayat merged commit 1e221fe into emrekayat:main Jun 30, 2026
1 check failed
Micheal-Blessed added a commit to Micheal-Blessed/Query402 that referenced this pull request Jun 30, 2026
…ers (emrekayat#86) (emrekayat#97)

Co-authored-by: Micheal-Blessed <295943952+Micheal-Blessed@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add CI check that demo artifacts never include raw payment headers

2 participants