feat: add CI check that demo artifacts never include raw payment headers (#86)#97
Merged
emrekayat merged 1 commit intoJun 30, 2026
Conversation
|
@Micheal-Blessed is attempting to deploy a commit to the emrekayat's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
@Micheal-Blessed Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
Contributor
Author
|
@emrekayat please review and merge |
Micheal-Blessed
added a commit
to Micheal-Blessed/Query402
that referenced
this pull request
Jun 30, 2026
…ers (emrekayat#86) (emrekayat#97) Co-authored-by: Micheal-Blessed <295943952+Micheal-Blessed@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves #86
Description
This PR introduces a lightweight validator script to scan reviewer-facing artifacts (e.g., markdown documentation in
docs/and root*.mdfiles) for raw payment headers, private keys, bearer tokens, or API keys, ensuring no sensitive credentials leak into public demo artifacts.Patterns Scanned
Sfollowed by 55 alphanumeric characters.-----BEGIN ... PRIVATE KEY-----.Bearer <token>where the token value is not redacted.facilitator-api-key: <value>where the value is not redacted.AAAA...), 64-character transaction hashes, and headers with non-redacted/non-placeholder values.Bypassing Personal Access Token Workflow Limitations
Because standard GitHub Personal Access Tokens (without
workflowscope) cannot update files in.github/workflows/ci.yml, we chose to integrate this scanner directly into the existingscripts/check-source-artifacts.mjsscript. Since the CI pipeline already executesnpm run check:source-artifacts, it automatically runs the new payment leaks validator on every pull request and push without requiring changes to the workflow configuration.Acceptance Criteria Met
[REDACTED_PAYMENT_HEADER]and placeholders likedemo_tx_123correctly pass.check:source-artifactsstep).