Skip to content

Fix gitleaks license gate and macOS test TMPDIR in CI#312

Merged
TeoSlayer merged 1 commit into
mainfrom
ci/fix-security-gitleaks-macos-tmpdir
Jun 22, 2026
Merged

Fix gitleaks license gate and macOS test TMPDIR in CI#312
TeoSlayer merged 1 commit into
mainfrom
ci/fix-security-gitleaks-macos-tmpdir

Conversation

@TeoSlayer

@TeoSlayer TeoSlayer commented Jun 22, 2026

Copy link
Copy Markdown
Collaborator

Fixes two CI failures on main.

1. security.yml — gitleaks "missing gitleaks license"

The gitleaks job used gitleaks/gitleaks-action@v2, which requires a paid GITLEAKS_LICENSE secret for organization repos and fails on push to main with missing gitleaks license.

Replaced it with the MIT-licensed, version-pinned gitleaks binary (v8.30.1), matching the already-green pattern in pilot-protocol/rendezvous and pilot-protocol/common:

  • before: uses: gitleaks/gitleaks-action@v2
  • after: download the pinned binary, then gitleaks git --no-banner --redact --verbose .

Same scan, no license gate. The existing .gitleaks.toml allowlist is read by default. Verified locally: full-history scan of this repo reports no leaks found and exits 0; gitleaks git exits non-zero on real findings.

2. ci.yml — macOS test step TempDir: permission denied

The macOS matrix job ("Go (macos-latest)", step "Test (pkg + cmd + internal, -short)") failed with many TempDir: mkdir /Users/runner/work/_temp/...: permission denied errors — the recurring GitHub macOS-runner temp-permission issue (also failed pre-existing on #304/#306/#308). The step pointed TMPDIR straight at ${{ runner.temp }}, which is the offending directory.

Fix (macOS only; ubuntu unchanged): create a fresh world-writable subdir under $RUNNER_TEMP and export TMPDIR to it so t.TempDir() always has a writable base:

if [ "${RUNNER_OS}" = "macOS" ]; then
  GOTMP="${RUNNER_TEMP}/gotmp"; mkdir -p "${GOTMP}"; chmod 777 "${GOTMP}"
  export TMPDIR="${GOTMP}"
else
  export TMPDIR="${RUNNER_TEMP}"
fi

No tests skipped or deleted; ubuntu job untouched.

@teovl
Fix gitleaks license gate and macOS test TMPDIR in CI
cbf8f31 
security.yml: replace gitleaks/gitleaks-action@v2 (requires a paid
GITLEAKS_LICENSE secret for org repos, fails with 'missing gitleaks
license') with the MIT-licensed pinned gitleaks binary, matching the
rendezvous/common pattern. Scans full history, reads .gitleaks.toml.

ci.yml: macOS runners intermittently hand out a RUNNER_TEMP whose
permissions break t.TempDir() with 'permission denied'. Create a
world-writable subdir under RUNNER_TEMP and point TMPDIR at it on
macOS; ubuntu keeps the default.
@TeoSlayer TeoSlayer force-pushed the ci/fix-security-gitleaks-macos-tmpdir branch from 137b3c0 to cbf8f31 Compare June 22, 2026 14:17
@TeoSlayer TeoSlayer merged commit a0c73e8 into main Jun 22, 2026
13 checks passed
@TeoSlayer TeoSlayer mentioned this pull request Jun 22, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TeoSlayer @teovl