The gitleaks job scans full git history on push to main (gitleaks-action v1.6.0 runs `gitleaks --path` with no commit filter on push events). The ReverbCode rewrite graft (#2166) carried 279 commits of prior history, 10 of which trip 42 findings: example secret-patterns in security docs and secret-redaction test fixtures. All offending files are already deleted from the tree, so PRs pass (they scan only their own diff) but every push to main re-scans history and fails indefinitely. Add `.github/.gitleaks.toml` (the action's default config-path) carrying the full gitleaks v7.4.0 default ruleset plus a commit allowlist for the 10 historical commits. Detection on new code is unchanged; only these specific historical commits are skipped. Verified with gitleaks v7.4.0: full-history scan goes 42 leaks -> 0. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| workflows | ||
| .gitleaks.toml | ||