Skip to content

chore: add gitleaks (CI job + pre-commit hook) #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
timzsu merged 3 commits into from
Apr 30, 2026
Merged

chore: add gitleaks (CI job + pre-commit hook) #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2460ec1
chore: add gitleaks (CI job + pre-commit hook)
timzsu Apr 30, 2026
240029c
docs: list gitleaks alongside the other pre-commit hooks
timzsu Apr 30, 2026
a52a6de
chore: address PR feedback — trim gitleaks comment, dash for "no config"
timzsu Apr 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,3 +32,21 @@ jobs:
# self-hosted infra; that's an unfixable architectural choice
# for this project, not a bug.
run: uvx --from zizmor==1.24.1 zizmor --persona pedantic --format github .github/workflows

gitleaks:
name: Gitleaks (secrets scan)
runs-on: self-hosted
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
# gitleaks scans the full git history for secrets; needs the
# repo's commit graph, not just the tip.
fetch-depth: 0
persist-credentials: false
- name: Run gitleaks
# Binary, not gitleaks-action — the action gates on a paid license for org repos.
run: |
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v8.30.1/gitleaks_8.30.1_linux_x64.tar.gz" \
| tar xz -C /tmp gitleaks
/tmp/gitleaks detect --source . --no-banner
5 changes: 5 additions & 0 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: 83d9cd684c87d95d656c1458ef04895a7f1cbd8e # v8.30.1
hooks:
- id: gitleaks

- repo: https://github.com/pycqa/isort
rev: 8.0.1
hooks:
Expand Down
2 changes: 1 addition & 1 deletion AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -514,7 +514,7 @@ uv run scripts/dev/compile_protos.sh # Regenerate proto stubs (only when proto
uv run pre-commit run --all-files
```

Hooks: isort, black, ruff, codespell, mypy, sync_requirements,
Hooks: gitleaks, isort, black, ruff, codespell, mypy, sync_requirements,
check_env_examples (via `scripts/dev/check_env_examples.py`).

### Tests
Expand Down
3 changes: 2 additions & 1 deletion CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ uv run pre-commit install --install-hooks -t pre-commit -t prepare-commit-msg -t
```

This installs three hook stages:
- **pre-commit** — runs isort, black, ruff, mypy, and codespell on staged files.
- **pre-commit** — runs gitleaks, isort, black, ruff, mypy, and codespell on staged files.
- **prepare-commit-msg** — automatically appends a
[DCO sign-off](#signing-off-commits-dco) line to your commit message.
- **commit-msg** — verifies the sign-off is present (safety net).
Expand All @@ -60,6 +60,7 @@ This installs three hook stages:

| Tool | Purpose | Config |
|------|---------|--------|
| [gitleaks](https://github.com/gitleaks/gitleaks) | Committed-secret detection | - |
| [isort](https://pycqa.github.io/isort/) | Import sorting | `pyproject.toml` `[tool.isort]` |
| [Black](https://black.readthedocs.io/) | Code formatting | `pyproject.toml` `[tool.black]` |
| [Ruff](https://docs.astral.sh/ruff/) | Linting | `pyproject.toml` `[tool.ruff]` |
Expand Down
Loading