Skip to content

feat(seed): seed .gitleaks.toml into repo template from standards/gitleaks.toml (#575)#1014

Merged
don-petry merged 17 commits into
mainfrom
feat/seed-gitleaks-toml-575
Jul 3, 2026
Merged

feat(seed): seed .gitleaks.toml into repo template from standards/gitleaks.toml (#575)#1014
don-petry merged 17 commits into
mainfrom
feat/seed-gitleaks-toml-575

Conversation

@don-petry

@don-petry don-petry commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Summary

Seeds a .gitleaks.toml at the root of every repo created from repo-template, sourced verbatim from petry-projects/.github standards/gitleaks.toml. Companion to petry-projects/.github#578 — that PR adds the secret-scan job to the template ci.yml, which runs gitleaks detect --config .gitleaks.toml and fails file-not-found without this config. Land them together.

Changes

  • BASELINE_MANIFEST — add .gitleaks.toml|fetch:standards/gitleaks.toml.
  • _emit_baseline — generalize the fetch source: bare fetch stays the Dependabot stack special case; new fetch:<standards-path> fetches that path verbatim (the form the manifest header already documented but wasn't implemented). Unknown sources now fail loud.
  • Tests — verbatim-fetch + fail-loud (empty-gh stub blocks the network fallback) for .gitleaks.toml; added to the baseline-set list; fixture provisioned + cross-repo write asserted in the seeding e2e. 28/28 seed bats pass, shellcheck --severity=warning -x clean.

Verified

Real emit against the live standards/gitleaks.toml is byte-identical:

$ STANDARDS_DIR=…/.github seed-repo-template.sh --emit-baseline .gitleaks.toml
title = "gitleaks config"
…
[allowlist]
paths = [ '''_bmad/''' ]
→ VERBATIM (byte-identical)

Part of #575 (folded-in from closed #1001). Epic #964.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Added support for seeding and verifying a .gitleaks.toml baseline file from the standard template source.
    • Expanded baseline fetching to support general standard-path imports.
  • Bug Fixes

    • Improved validation and error messages when a standard file path is missing or cannot be fetched.
    • Included .gitleaks.toml in template drift checks to surface template differences consistently.
  • Tests

    • Updated baseline listing, fetching, missing-file failure handling, and seeding flow assertions to cover .gitleaks.toml.

…/gitleaks.toml (#575)

The template ci.yml's secret-scan job runs `gitleaks detect --config .gitleaks.toml`
(push-protection.md), which fails file-not-found unless every repo ships a
.gitleaks.toml at root. Seed it as a baseline file so day-0 repos are green.

- BASELINE_MANIFEST: add `.gitleaks.toml|fetch:standards/gitleaks.toml`.
- _emit_baseline: generalize the fetch source — bare `fetch` stays the Dependabot
  stack special case; new `fetch:<standards-path>` fetches that path verbatim
  (the form the manifest header already documented). Unknown sources fail loud.
- Tests: verbatim-fetch + fail-loud for .gitleaks.toml; add it to the baseline-set
  list; provision the fixture + assert the cross-repo write in the seeding e2e.
  28/28 seed bats pass; shellcheck --severity=warning -x clean.

Companion to petry-projects/.github#578 (adds the secret-scan job to the template
ci.yml). Land together so a seeded repo has both the job and its config.

Part of #575 (folded-in from closed #1001). Epic #964.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@don-petry don-petry requested a review from a team as a code owner July 2, 2026 14:47
Copilot AI review requested due to automatic review settings July 2, 2026 14:47
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f34604f8-7fc7-4c19-847f-784d59a756ee

📥 Commits

Reviewing files that changed from the base of the PR and between fac695a and 03df43c.

📒 Files selected for processing (1)
  • tests/template_stub_drift.bats

📝 Walkthrough

Walkthrough

Adds .gitleaks.toml as a fetched baseline from the standards repo, extends baseline emission to accept fetch:<standards-path>, includes the file in drift coverage, and updates shell tests for listing, emission, failure, and seeding behavior.

Changes

Gitleaks Baseline Fetch Support

Layer / File(s) Summary
Baseline manifest and fetch logic
scripts/seed-repo-template.sh
Adds .gitleaks.toml entry using fetch:standards/gitleaks.toml to BASELINE_MANIFEST, and extends _emit_baseline to support gen, fetch (Dependabot stack), and new fetch:<standards-path> source modes with path validation and updated error messages.
Drift guard coverage
scripts/template_stub_drift.sh
Adds .gitleaks.toml to TEMPLATE_DRIFT_FILES so it participates in drift comparison and reporting.
Test coverage for new baseline
tests/test_seed_repo_template.bats, tests/template_stub_drift.bats
Updates --list-baseline expectations, adds emission/failure tests for .gitleaks.toml, updates seeding orchestration tests to include gitleaks.toml fixtures and assert contents/.gitleaks.toml PUT calls, and checks the drift manifest output includes .gitleaks.toml.

Estimated code review effort: 2 (Simple) | ~12 minutes

Possibly related issues

Possibly related PRs

  • petry-projects/.github-private#980: Both PRs extend scripts/seed-repo-template.sh and tests/test_seed_repo_template.bats around the same baseline-seeding path and emission tests.
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning The PR does not update .github/rulesets/code-quality.json to require Secret scan (gitleaks) and coverage, so the linked issue's main requirement is unmet. Add the two required status-check contexts to .github/rulesets/code-quality.json and ensure the companion template jobs emit those checks before enforcing them.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately describes seeding .gitleaks.toml from the standards repo.
Out of Scope Changes check ✅ Passed All changes support seeding and validating .gitleaks.toml; no unrelated code paths or features appear in the patch.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/seed-gitleaks-toml-575

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@don-petry

Copy link
Copy Markdown
Collaborator Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 14:48

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds support for fetching baseline files verbatim from a specified path in the standards repository (such as .gitleaks.toml), alongside the existing inline generation and Dependabot-specific fetching. Corresponding tests have been added to verify this behavior and ensure loud failures when the target standards file is missing. Feedback was provided to refactor _emit_baseline to eliminate duplicated fetching and validation logic, and to defensively guard against empty paths in the fetch:<standards-path> format.

Comment thread scripts/seed-repo-template.sh
@don-petry don-petry disabled auto-merge July 2, 2026 14:48
@don-petry

Copy link
Copy Markdown
Collaborator Author

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning
- **0.0% Duplication** (no redundant code detected)
**CI checks:** All 34+ checks passing or skipped (no failures, timeouts, or blockers)
**Reviews:** 
- `gemini-code-assist[bot]` provided a **COMMENTED** review (not blocking) with code improvement suggestions about refactoring `_emit_baseline` to eliminate duplication
- No `CHANGES_REQUESTED` or blocking reviews
**Conclusion:** Zero Tier 1 blockers exist. The PR is clean from both security and quality perspectives.
---
**Issues addressed:** 0  
**Files changed:** None  
**Skipped (informational feedback):** 1 (gemini-code-assist refactoring suggestion — not blocking, SonarCloud found no issues)

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 14:49

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends the repo-template seeding script so it can seed a root .gitleaks.toml into petry-projects/repo-template, fetched verbatim from petry-projects/.github standards/gitleaks.toml. This supports the companion template CI change that runs gitleaks detect --config .gitleaks.toml and would otherwise fail with file-not-found.

Changes:

  • Add .gitleaks.toml to the baseline manifest so it is seeded into the template repo.
  • Implement fetch:<standards-path> baseline sources (in addition to the existing bare fetch Dependabot special case) and fail loud on unknown sources.
  • Add Bats coverage to ensure .gitleaks.toml is listed, emitted from fixtures, fails loud when absent, and is written via contents API in the seed e2e.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
scripts/seed-repo-template.sh Adds .gitleaks.toml to the seeded baseline and generalizes baseline fetching to support fetch:<path>.
tests/test_seed_repo_template.bats Adds unit/e2e tests for .gitleaks.toml baseline emission, fail-loud behavior, and cross-repo write coverage.

Comment thread scripts/seed-repo-template.sh Outdated
Comment thread scripts/seed-repo-template.sh
donpetry-bot
donpetry-bot previously approved these changes Jul 2, 2026

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: MEDIUM
Reviewed commit: 5d13720b2b8aaaf2321b8b3ce2f49f4c9a8cd61d
Review mode: triage-approved (single reviewer)

Summary

Seeds .gitleaks.toml into repo-template via a new fetch: baseline source. Implementation is correct and fail-loud; paths come from a hardcoded readonly manifest (no injection surface). Tests cover verbatim fetch, fail-loud, listing, and the e2e cross-repo write. All quality gates green. Triage low-risk assessment confirmed at MEDIUM (non-trivial shell logic in an Actions-executed script), within auto-approve bounds.

Linked issue analysis

No formal closing reference. PR is part of the closed template-repo epic #964 (one-click compliant new repos) and companion to petry-projects/.github#578, which adds the secret-scan job that requires this config (fails file-not-found without it). Folded in from closed #1001 (gitleaks required check). The stated purpose — seed the gitleaks config so day-0 repos pass the secret-scan job — is substantively delivered, with a byte-identical emit against the live standards/gitleaks.toml verified in the PR description.

Findings

No blocking findings.

  • Correctness: _emit_baseline now handles three sources — gen, bare fetch (Dependabot special case, preserved), and fetch:<standards-path> (new, verbatim). Unknown sources fail loud with return 2. The new branch mirrors the existing fetch/validate/print pattern. std_path values originate from the readonly BASELINE_MANIFEST, so no injection surface.
  • Non-blocking (carried from bot threads, no human engagement):
    1. gemini: fetch/validate/print logic duplicated between the two fetch branches — reasonable refactor, not required (dev-lead already dispositioned as informational).
    2. copilot: a malformed fetch: (empty path) manifest row would emit a confusing "could not fetch from …" error (return 1) instead of an unknown-source error (return 2). Cannot occur with the current manifest; cosmetic hardening only.
    3. copilot: .gitleaks.toml is not in TEMPLATE_DRIFT_FILES (scripts/template_stub_drift.sh). Verified: the drift guard covers only 3 of 11 baseline files by pre-existing design (AGENTS.md, LICENSE, README.md etc. are also excluded), so this is consistent with the existing pattern, not a regression. Worth a follow-up if drift coverage is expanded.
  • Secret scan: run_secret_scanning MCP tool unavailable in this run; the gitleaks CI check on the PR passed. Diff contains no secret-like content (config plumbing + test fixtures only).

CI status

All quality gates green: Lint, ShellCheck (x2), bats (28/28 seed tests), unit-tests, CodeQL (actions + python), SonarCloud quality gate (0 new issues, 0 hotspots), Secret scan (gitleaks), Agent Security Scan, template-drift, holdout-guard, test-deletion guard, gh-aw-compile, validate-agent-profiles. Two CANCELLED dev-lead check runs (dispatch, ci-relay) are superseded agent-orchestration runs, not quality gates — an earlier identical dispatch run succeeded and the dev-lead agent posted no-changes results. mergeStateStatus is BEHIND main; auto-rebase applies.


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

@don-petry don-petry disabled auto-merge July 2, 2026 15:43
@don-petry

Copy link
Copy Markdown
Collaborator Author

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning
- Copilot: COMMENTED (informational overview, no blockers)
- donpetry-bot: APPROVED (triage review confirmed, risk MEDIUM within auto-approve bounds)
- Gemini: COMMENTED (non-blocking suggestions for refactoring fetch logic, marked as informational)
---
## Summary
**Bot:** SonarCloud (passed)  
**Issues addressed:** 0  
**Tier 1 blockers:** 0  
**Status:** ✅ Quality Gate PASSED — **no action required**
The PR is in good state. All quality gates are green, CI is passing, and the automated review has approved. The non-blocking comments from Copilot and Gemini mention cosmetic refactoring opportunities (deduplicating fetch/validate logic, defensive empty-path checks) which are dispositioned as "informational" per the existing review thread — these are not required for merge and remain within the discretion of maintainers doing future cleanup.

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 15:44
@don-petry don-petry disabled auto-merge July 2, 2026 16:34
@don-petry

Copy link
Copy Markdown
Collaborator Author

Note

@don-petry I received your request but all AI engines are currently rate-limited. I'll retry automatically once the rate limit clears.
Rate limit resets at: unknown

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 16:45
@don-petry don-petry disabled auto-merge July 2, 2026 18:02
@don-petry

Copy link
Copy Markdown
Collaborator Author

Dev-Lead — rate-limited (intent: review-changes)

PR: #1014
The retry cron will re-attempt automatically.

@don-petry don-petry enabled auto-merge (squash) July 2, 2026 18:09
@don-petry don-petry disabled auto-merge July 2, 2026 19:48
@don-petry

Copy link
Copy Markdown
Collaborator Author

Dev-Lead — review-changes (applied)

Changes committed and pushed.

@don-petry don-petry disabled auto-merge July 3, 2026 13:38
@don-petry

Copy link
Copy Markdown
Collaborator Author

Dev-Lead — waiting on PR blockers (intent: review-changes)

PR: #1014
No changes were committed, but the PR still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews). The retry cron will re-attempt automatically. Next attempt after: 2026-07-03T14:10:46Z

@don-petry

Copy link
Copy Markdown
Collaborator Author

Note

@don-petry I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically.
Next attempt after: 2026-07-03T14:10:46Z

@don-petry don-petry enabled auto-merge (squash) July 3, 2026 13:40
@don-petry don-petry disabled auto-merge July 3, 2026 14:29
@don-petry

Copy link
Copy Markdown
Collaborator Author

Dev-Lead — review-changes (applied)

Changes committed and pushed.

@don-petry don-petry dismissed stale reviews from coderabbitai[bot] and donpetry-bot via 80c2bcb July 3, 2026 14:34
@don-petry don-petry enabled auto-merge (squash) July 3, 2026 14:34
@don-petry don-petry disabled auto-merge July 3, 2026 14:38
@don-petry

Copy link
Copy Markdown
Collaborator Author

Dev-Lead — waiting on PR blockers (intent: review-changes)

PR: #1014
No changes were committed, but the PR still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews). The retry cron will re-attempt automatically. Next attempt after: 2026-07-03T15:11:14Z

@don-petry

Copy link
Copy Markdown
Collaborator Author

Note

@don-petry I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically.
Next attempt after: 2026-07-03T15:11:14Z

@don-petry don-petry enabled auto-merge (squash) July 3, 2026 14:41
donpetry-bot
donpetry-bot previously approved these changes Jul 3, 2026

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: MEDIUM
Reviewed commit: 80c2bcb5f61e119ed6ba0f306cb66c7da5a4c774
Review mode: triage-approved (single reviewer)

Summary

Seeds .gitleaks.toml as a repo-template baseline file (fetched verbatim from standards/gitleaks.toml) and generalizes _emit_baseline to support fetch: sources with fail-loud handling for empty/unknown sources. Companion to petry-projects/.github#578 whose secret-scan job requires this config. Well-tested (verbatim fetch, fail-loud, e2e seeding, drift-guard coverage), all CI green.

Linked issue analysis

No closing issue linked. PR is part of the repo-template initiative (epic #964, related to petry-projects/.github#575) and is a companion to petry-projects/.github#578, which adds the secret-scan CI job that fails file-not-found without this config. The PR substantively delivers its stated scope: manifest entry, generalized fetch source, drift-guard coverage, and tests.

Findings

  • No security issues: the fetch path comes from the readonly hardcoded BASELINE_MANIFEST (no user-controlled input); unknown sources and empty fetch: paths fail loud (return 2), empty fetched content fails (return 1).
  • Prior bot findings all addressed: gemini duplication comment (resolved), Copilot empty-fetch-path comment (resolved — explicit empty-path guard added), Copilot drift-guard gap (thread not marked resolved on GitHub, but verifiably fixed at the reviewed head: .gitleaks.toml added to TEMPLATE_DRIFT_FILES in scripts/template_stub_drift.sh plus a covered-set test assertion in tests/template_stub_drift.bats).
  • Secret-scan MCP tool unavailable in this run; the gitleaks CI check passed on this head.
  • Branch is BEHIND base but MERGEABLE; auto-rebase automation applies.

CI status

All checks green: shellcheck, ShellCheck, bats, unit-tests, Lint, template-drift, holdout-guard, guard, Secret scan (gitleaks), CodeQL (actions + python), SonarCloud, Agent Security Scan, agent-shield, gh-aw-compile, validate-agent-profiles, CodeRabbit. Dependency-audit jobs skipped (no matching ecosystems). The cancelled/in-progress 'review / review' entries are this review workflow itself.


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

@sonarqubecloud

sonarqubecloud Bot commented Jul 3, 2026

Copy link
Copy Markdown

@don-petry don-petry disabled auto-merge July 3, 2026 14:46
@don-petry

Copy link
Copy Markdown
Collaborator Author

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning
Issues addressed: 0
- Quality Gate passed with 0 new issues, 0 security hotspots — no action needed
Files changed: (none)
Skipped (informational): 0
```
The PR is ready to merge from a code quality perspective.

@don-petry don-petry enabled auto-merge (squash) July 3, 2026 14:47

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: MEDIUM
Reviewed commit: 80c2bcb5f61e119ed6ba0f306cb66c7da5a4c774
Review mode: triage-approved (single reviewer)

Summary

Adds .gitleaks.toml to the repo-template baseline set, fetched verbatim from the canonical standards/gitleaks.toml in petry-projects/.github. Generalizes _emit_baseline to support the documented fetch: source form with fail-loud handling for empty paths and unknown sources (previously an unknown source silently fell through to the Dependabot fetch). Adds the file to the template drift guard (TEMPLATE_DRIFT_FILES) and covers everything with bats tests (verbatim fetch, fail-loud on missing standards file, baseline-set listing, seeding e2e). Companion to petry-projects/.github#578, which adds the secret-scan CI job that requires this config.

Linked issue analysis

No formal closing issue (PR is 'Part of' the secret-scan/required-check work under epic #964, companion to petry-projects/.github#578). The PR's stated purpose — seed the gitleaks config so the companion secret-scan job does not fail file-not-found — is substantively delivered by the diff, including drift protection against manual edits in repo-template.

Findings

  • No blocking findings.
  • Security note: the seeded .gitleaks.toml is copied verbatim from the canonical standards source (not authored here); no scanner rules or allowlists are modified in this PR, and the drift guard now fails CI on any manual edit of the seeded copy. Error paths fail loud rather than emitting empty/wrong content — a robustness improvement over the prior silent Dependabot fallthrough.
  • One formally-unresolved Copilot review thread (drift-guard coverage for .gitleaks.toml) is substantively fixed at the reviewed head: entry added at scripts/template_stub_drift.sh:55 plus an explicit assertion in tests/template_stub_drift.bats, with owner replies confirming. Bot threads cannot self-resolve; treating as addressed.
  • MCP secret-scanning tool not available in this run; the gitleaks CI check on the PR passed, and the diff contains no secret-like content (shell logic and inert test fixtures only).

CI status

All required checks green at the reviewed head: shellcheck/ShellCheck, bats unit-tests, template-drift, Secret scan (gitleaks), CodeQL (actions + python), SonarCloud quality gate passed (0 new issues), agent-shield, holdout-guard, lint, gh-aw-compile. One CANCELLED 'review / review' run is a superseded duplicate (latest completed run succeeded; the in-progress one is this review). mergeStateStatus is BEHIND main — needs a rebase/update before merge but not a review blocker.


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

@donpetry-bot donpetry-bot dismissed their stale review July 3, 2026 14:47

Superseded by automated re-review at 80c2bcb.

@don-petry don-petry disabled auto-merge July 3, 2026 14:47
@don-petry

Copy link
Copy Markdown
Collaborator Author

Dev-Lead — waiting on PR blockers (intent: fix-reviews)

PR: #1014
No changes were committed, but the PR still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews). The retry cron will re-attempt automatically. Next attempt after: 2026-07-03T15:20:28Z

@don-petry don-petry merged commit a5863ac into main Jul 3, 2026
38 of 43 checks passed
@don-petry don-petry deleted the feat/seed-gitleaks-toml-575 branch July 3, 2026 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants