ci: add gitleaks scanning workflow and custom rules

[iyaozhen]

Summary

• add a GitHub Actions Gitleaks workflow to run on pull requests targeting main
• use the repository secret GITLEAKS_KEY as GITLEAKS_LICENSE, while relying on the default GitHub Actions GITHUB_TOKEN
• add a repository-level .gitleaks.toml that extends the default ruleset with two Lark-specific detectors:
  • cli_... bot app IDs
  • XN0YXJ0-...-WVuZA session tokens

Test Plan

• verified the workflow can be triggered from the current branch by temporarily enabling a branch-specific push trigger during validation
• verified the default Gitleaks workflow fails on a known secret-like fixture
• verified the custom .gitleaks.toml rules detect both:
  • cli_a94094xxxedf5xxx
  • XN0YXJ0-a8eo8xxx-xxxx-47e2-b21b-077c68019xxx-WVuZA
• verified GitHub Push Protection blocked the push after the custom rule matched
• verified the blocked push could be explicitly unblocked through GitHub and then pushed successfully
• removed all temporary test fixtures and the temporary branch-specific push trigger after validation

Summary by CodeRabbit

• Chores
  • Implemented automated secret-detection scanning for pushes and pull requests to main, with optional manual triggering.
  • Scan skips contexts where repository secrets aren’t available (e.g., forked PRs), avoiding false positives.
  • Added custom detection rules to identify specific application IDs and session-token patterns, improving scanner accuracy for repo-relevant secrets.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 92622ec4-cfb6-42c8-8b25-ed56e09b0f49

📥 Commits

Reviewing files that changed from the base of the PR and between 960eba4 and 40aeec4.

📒 Files selected for processing (2)

• .github/workflows/gitleaks.yml
• .gitleaks.toml

✅ Files skipped from review due to trivial changes (1)

• .gitleaks.toml

---

📝 Walkthrough

Walkthrough

Adds a Gitleaks GitHub Actions workflow and a .gitleaks.toml config to run on pushes, pull requests to main, and manually; the workflow checks out full history, runs the gitleaks action with secrets, and skips the job for forked PRs where secrets are unavailable.

Changes

Cohort / File(s)	Summary
GitHub Actions workflow ​.github/workflows/gitleaks.yml	Adds a Gitleaks workflow triggered on pushes and PRs to main and workflow_dispatch; job runs on ubuntu-latest, checks out repo with fetch-depth: 0, uses gitleaks/gitleaks-action@v2.3.9 with GITHUB_TOKEN and GITLEAKS_LICENSE, and is conditional to skip forked PRs.
Gitleaks configuration .gitleaks.toml	Adds config that extends default rules and defines two custom rules: lark-bot-app-id (regex \bcli_[a-z0-9]{16}\b, tag cli_) and lark-session-token (regex \bXN0YXJ0-[A-Za-z0-9_-]+-WVuZA\b, tags XN0YXJ0-, -WVuZA).

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant PR as Pull Request / Push
    participant GH as GitHub Actions
    participant Runner as Actions Runner (ubuntu-latest)
    participant Checkout as actions/checkout
    participant Gitleaks as gitleaks/gitleaks-action

    PR->>GH: push / PR to main or manual dispatch
    GH->>Runner: start gitleaks job (if not forked PR)
    Runner->>Checkout: checkout repo (fetch-depth: 0)
    Runner->>Gitleaks: run action (env: GITHUB_TOKEN, GITLEAKS_LICENSE)
    Gitleaks->>Runner: scan repository using .gitleaks.toml
    Gitleaks->>GH: return findings / status

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 I hopped through commits far and near,
I sniffed for tokens hiding here,
Two new rules lend me my sight,
I guard the code both day and night,
A rabbit's scan, precise and clear.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: adding a Gitleaks scanning workflow and custom rules configuration to CI.
Description check	✅ Passed	The description provides a comprehensive summary of changes, detailed test plan with verification steps, and includes all required template sections.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/gitleaks.yml:
- Line 19: Replace the mutable tag reference "gitleaks/gitleaks-action@v2" with
the action pinned to a specific commit SHA; locate the workflow step that
currently references gitleaks/gitleaks-action (the string
"gitleaks/gitleaks-action@v2") and change it to the corresponding immutable
commit SHA (e.g., "gitleaks/gitleaks-action@<commit-sha>") so the CI uses a
fixed action version consistent with the checkout step pinned to a SHA.
- Around line 20-24: The Gitleaks step is failing on forked pull requests
because GITLEAKS_LICENSE (env) is unavailable for forks; update the
.github/workflows/gitleaks.yml to avoid running gitleaks for forks by adding a
conditional that detects fork PRs (e.g., check
github.event.pull_request.head.repo.full_name vs github.repository or compare
github.event.pull_request.head.repo.owner.login to github.repository_owner) and
skip the gitleaks step when they differ, or alternatively change the workflow
trigger to pull_request_target or run gitleaks from a separate workflow
(workflow_run) after PR CI completes; ensure the change references the existing
GITLEAKS_LICENSE env usage and the gitleaks-action invocation so the step no
longer runs when license secrets are inaccessible.

In @.gitleaks.toml:
- Around line 6-10: The current gitleaks rule "lark-bot-app-id" uses regex
'\bcli_[A-Za-z0-9]{6,}\b' which matches legitimate test fixtures and will block
PRs; update the rule by either tightening the regex (for example require a
longer minimum length or additional delimiter/format constraints beyond {6,}
such as '\bcli_[A-Za-z0-9]{10,}\b' or include a specific prefix/suffix pattern)
or add a rule-level allowlist to exclude test paths (e.g., exclude patterns
matching *_test.go or test directories) so the "lark-bot-app-id" rule no longer
flags existing test strings.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6d2a1b35-e01b-4498-bdf7-3e8eaefcb373

📥 Commits

Reviewing files that changed from the base of the PR and between c8341bb and 755f347.

📒 Files selected for processing (2)

• .github/workflows/gitleaks.yml
• .gitleaks.toml

[greptile-apps]

Greptile Summary

This PR adds a Gitleaks secret-scanning workflow (triggered on PRs to main, pushes to main, and manually) alongside a .gitleaks.toml that extends the default ruleset with two Lark-specific detectors. Both previously flagged concerns — unpinned action SHA and the overly-broad {6,} bot-ID regex — have been resolved in this revision; the action is now SHA-pinned and the regex uses an exact {16} quantifier that produces no false positives against any existing test fixture in the repository.

Confidence Score: 5/5

Safe to merge — no blocking issues remain; both prior review concerns have been addressed.

The action is SHA-pinned, permissions are minimal (contents: read), the fork-exclusion guard is correct, fetch-depth: 0 is correct for full-history scans, and the tightened regex ([a-z0-9]{16}) generates no false positives against any test string currently in the repository. All remaining considerations are P2 or lower.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/gitleaks.yml	New Gitleaks CI workflow with correct permissions, full-history checkout, SHA-pinned actions, fork-exclusion guard, and both PR and push-to-main triggers.
.gitleaks.toml	Custom Gitleaks config extending defaults with two Lark-specific rules; bot-app-id regex tightened to exactly 16 lowercase alphanumeric chars, avoiding false positives on all test fixtures in the repo.

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub
    participant Runner as Actions Runner
    participant GL as gitleaks-action

    Dev->>GH: Open PR targeting main
    GH->>Runner: Trigger gitleaks workflow (pull_request event)
    Runner->>Runner: Check: not a fork PR?
    Runner->>Runner: actions/checkout (fetch-depth: 0)
    Runner->>GL: Run gitleaks/gitleaks-action@SHA
    GL->>GL: Load .gitleaks.toml (extends default ruleset)
    GL->>GL: Scan all commits with lark-bot-app-id + lark-session-token rules
    alt Secret found
        GL->>GH: Fail check, block merge
    else No secrets
        GL->>GH: Pass check
    end

    Dev->>GH: Push to main (merge)
    GH->>Runner: Trigger gitleaks workflow (push event)
    Runner->>GL: Re-scan merged commits

Loading

_{Reviews (2): Last reviewed commit: "ci: add fork-safe gitleaks workflow" | Re-trigger Greptile}

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@40aeec4678f42552c5cd9e7f838a9cef2c12138d

🧩 Skill update

npx skills add iyaozhen/cli#feature/ci -y -g