agent-orchestrator/.github
harshitsinghbhandari 1b5c0decc5
ci(gitleaks): allowlist historical false-positive commits from rewrite graft
The gitleaks job scans full git history on push to main (gitleaks-action
v1.6.0 runs `gitleaks --path` with no commit filter on push events). The
ReverbCode rewrite graft (#2166) carried 279 commits of prior history, 10 of
which trip 42 findings: example secret-patterns in security docs and
secret-redaction test fixtures. All offending files are already deleted from
the tree, so PRs pass (they scan only their own diff) but every push to main
re-scans history and fails indefinitely.

Add `.github/.gitleaks.toml` (the action's default config-path) carrying the
full gitleaks v7.4.0 default ruleset plus a commit allowlist for the 10
historical commits. Detection on new code is unchanged; only these specific
historical commits are skipped.

Verified with gitleaks v7.4.0: full-history scan goes 42 leaks -> 0.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 20:22:56 +05:30
..
workflows fix(desktop): package Windows via NSIS instead of Squirrel (#403) 2026-06-23 20:44:30 +05:30
.gitleaks.toml ci(gitleaks): allowlist historical false-positive commits from rewrite graft 2026-06-24 20:22:56 +05:30