fix: add org baseline secret patterns to .gitignore

[don-petry]

Summary

• Copies the petry-projects org secrets baseline verbatim into .gitignore, adding the required *.pem and *.key patterns per the push-protection standard
• Preserves repo-specific entries (node_modules/, coverage/, test-results/, playwright-report/) in a dedicated section at the top
• Removes the standalone .env entry since it's already covered by the baseline's dotenv section

Closes #172

Test plan

• Only .gitignore is changed — no code logic affected, no test failures expected
• Verify *.pem and *.key patterns are present in the updated file
• CI should pass (no source code changes)

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enhanced repository security by strengthening protection against accidental commits of sensitive credentials, configuration files, and private keys.

[Copilot]

Copilot wasn't able to review any files in this pull request.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 553292b8-193f-4b5d-8ffb-e82d14bd5613

📥 Commits

Reviewing files that changed from the base of the PR and between 92719c9 and e9dcf17.

📒 Files selected for processing (1)

• .gitignore

---

📝 Walkthrough

Walkthrough

Updated .gitignore with a comprehensive secrets-only baseline section covering credential and key file patterns (dotenv variants, cloud provider credentials, SSH/TLS/GPG keys, database dumps, IDE credential caches), with negation rules to re-include safe artifacts like .env.example and *.pub files, plus agent worktree directories.

Changes

Cohort / File(s)

Summary

Secrets and Credentials Baseline .gitignore

Added 394 lines implementing a language-agnostic secrets-only baseline: patterns for environment variables, cloud provider credentials, SSH/TLS/GPG private keys, Terraform state, Kubernetes configs, Docker auth, database dumps, IDE/editor credential caches, and tooling credentials (npm, pip, etc.). Includes negation rules to re-include safe artifacts (.env.example, encrypted variants with *.enc.*/*.sops.*, public keys with *.pub) and agent/worktree directories (.claude/worktrees/, .worktrees/).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: adding organization baseline secret patterns to .gitignore file.
Linked Issues check	✅ Passed	The PR directly addresses issue #172 by adding required baseline secret patterns (*.pem, *.key) to .gitignore as specified in the push-protection standard.
Out of Scope Changes check	✅ Passed	All changes are scoped to .gitignore and directly address the compliance requirement; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-172-20260419-2033

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

Self-review complete — no issues found. Only .gitignore is changed; all repo-specific entries are preserved and the full org baseline (including the required *.pem and *.key patterns) is copied verbatim.

@don-petry — this is ready for your review and merge. This resolves the recurring compliance finding in #172.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 5778a17776e1bc15905ada6637cdacc2e3720f48
Review mode: triage-approved (single reviewer)

Summary

A .gitignore-only change (+394 / -0) that copies the petry-projects org secrets baseline verbatim, satisfying the compliance finding in #172 (missing *.pem and *.key patterns). Repo-specific entries are preserved in a dedicated section at the top; the standalone .env entry is removed because it is now covered by the baseline's dotenv section.

Linked issue analysis

Issue #172 is a compliance-audit warning from the weekly audit: .gitignore is missing baseline secret patterns *.pem and *.key. The diff adds both patterns (section 4, SSH/TLS/GPG key material) along with the full org baseline. The remediation requested by the standard is satisfied verbatim.

Findings

No blocking issues. A few observations from a careful read:

• Repo-specific entries preserved. node_modules/, coverage/, test-results/, playwright-report/ remain at the top of the file, ahead of the baseline section.
• Negation ordering is correct. Re-include rules (!.env.example, !*.pub, !*.enc.yaml, !*.tfvars.example, !Pulumi.yaml, etc.) are placed immediately after the broad ignore patterns they carve out of, matching the ordering note in the baseline's preamble.
• .env consolidation is intentional. The standalone .env line was removed because the new dotenv section covers .env and .env.* with explicit re-allows for .env.example/.sample/.template. No regression.
• *.pem / *.key false-positive risk acknowledged. The baseline itself calls this out and recommends per-repo ! overrides for specific fixture files. No action needed here since this repo doesn't currently track any *.pem / *.key files.

CI status

All required checks green on the reviewed SHA:

• CodeQL — Analyze (actions): SUCCESS
• CodeQL — Analyze (javascript-typescript): SUCCESS
• CodeQL — Analyze (python): SUCCESS
• CodeQL (aggregate): SUCCESS
• CodeRabbit: SUCCESS (no actionable comments)
• SonarQube Cloud: Quality Gate passed (0 new issues, 0 hotspots)

Merge state is BLOCKED only because a review from petry-projects/org-leads is required; nothing in CI is failing.

---

Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push