feat(seed): seed .gitleaks.toml into repo template from standards/gitleaks.toml (#575)#1014
Conversation
…/gitleaks.toml (#575) The template ci.yml's secret-scan job runs `gitleaks detect --config .gitleaks.toml` (push-protection.md), which fails file-not-found unless every repo ships a .gitleaks.toml at root. Seed it as a baseline file so day-0 repos are green. - BASELINE_MANIFEST: add `.gitleaks.toml|fetch:standards/gitleaks.toml`. - _emit_baseline: generalize the fetch source — bare `fetch` stays the Dependabot stack special case; new `fetch:<standards-path>` fetches that path verbatim (the form the manifest header already documented). Unknown sources fail loud. - Tests: verbatim-fetch + fail-loud for .gitleaks.toml; add it to the baseline-set list; provision the fixture + assert the cross-repo write in the seeding e2e. 28/28 seed bats pass; shellcheck --severity=warning -x clean. Companion to petry-projects/.github#578 (adds the secret-scan job to the template ci.yml). Land together so a seeded repo has both the job and its config. Part of #575 (folded-in from closed #1001). Epic #964. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdds ChangesGitleaks Baseline Fetch Support
Estimated code review effort: 2 (Simple) | ~12 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
There was a problem hiding this comment.
Code Review
This pull request adds support for fetching baseline files verbatim from a specified path in the standards repository (such as .gitleaks.toml), alongside the existing inline generation and Dependabot-specific fetching. Corresponding tests have been added to verify this behavior and ensure loud failures when the target standards file is missing. Feedback was provided to refactor _emit_baseline to eliminate duplicated fetching and validation logic, and to defensively guard against empty paths in the fetch:<standards-path> format.
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
There was a problem hiding this comment.
Pull request overview
This PR extends the repo-template seeding script so it can seed a root .gitleaks.toml into petry-projects/repo-template, fetched verbatim from petry-projects/.github standards/gitleaks.toml. This supports the companion template CI change that runs gitleaks detect --config .gitleaks.toml and would otherwise fail with file-not-found.
Changes:
- Add
.gitleaks.tomlto the baseline manifest so it is seeded into the template repo. - Implement
fetch:<standards-path>baseline sources (in addition to the existing barefetchDependabot special case) and fail loud on unknown sources. - Add Bats coverage to ensure
.gitleaks.tomlis listed, emitted from fixtures, fails loud when absent, and is written via contents API in the seed e2e.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
scripts/seed-repo-template.sh |
Adds .gitleaks.toml to the seeded baseline and generalizes baseline fetching to support fetch:<path>. |
tests/test_seed_repo_template.bats |
Adds unit/e2e tests for .gitleaks.toml baseline emission, fail-loud behavior, and cross-repo write coverage. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: 5d13720b2b8aaaf2321b8b3ce2f49f4c9a8cd61d
Review mode: triage-approved (single reviewer)
Summary
Seeds .gitleaks.toml into repo-template via a new fetch: baseline source. Implementation is correct and fail-loud; paths come from a hardcoded readonly manifest (no injection surface). Tests cover verbatim fetch, fail-loud, listing, and the e2e cross-repo write. All quality gates green. Triage low-risk assessment confirmed at MEDIUM (non-trivial shell logic in an Actions-executed script), within auto-approve bounds.
Linked issue analysis
No formal closing reference. PR is part of the closed template-repo epic #964 (one-click compliant new repos) and companion to petry-projects/.github#578, which adds the secret-scan job that requires this config (fails file-not-found without it). Folded in from closed #1001 (gitleaks required check). The stated purpose — seed the gitleaks config so day-0 repos pass the secret-scan job — is substantively delivered, with a byte-identical emit against the live standards/gitleaks.toml verified in the PR description.
Findings
No blocking findings.
- Correctness:
_emit_baselinenow handles three sources —gen, barefetch(Dependabot special case, preserved), andfetch:<standards-path>(new, verbatim). Unknown sources fail loud with return 2. The new branch mirrors the existing fetch/validate/print pattern.std_pathvalues originate from the readonlyBASELINE_MANIFEST, so no injection surface. - Non-blocking (carried from bot threads, no human engagement):
- gemini: fetch/validate/print logic duplicated between the two fetch branches — reasonable refactor, not required (dev-lead already dispositioned as informational).
- copilot: a malformed
fetch:(empty path) manifest row would emit a confusing "could not fetch from …" error (return 1) instead of an unknown-source error (return 2). Cannot occur with the current manifest; cosmetic hardening only. - copilot:
.gitleaks.tomlis not inTEMPLATE_DRIFT_FILES(scripts/template_stub_drift.sh). Verified: the drift guard covers only 3 of 11 baseline files by pre-existing design (AGENTS.md, LICENSE, README.md etc. are also excluded), so this is consistent with the existing pattern, not a regression. Worth a follow-up if drift coverage is expanded.
- Secret scan:
run_secret_scanningMCP tool unavailable in this run; the gitleaks CI check on the PR passed. Diff contains no secret-like content (config plumbing + test fixtures only).
CI status
All quality gates green: Lint, ShellCheck (x2), bats (28/28 seed tests), unit-tests, CodeQL (actions + python), SonarCloud quality gate (0 new issues, 0 hotspots), Secret scan (gitleaks), Agent Security Scan, template-drift, holdout-guard, test-deletion guard, gh-aw-compile, validate-agent-profiles. Two CANCELLED dev-lead check runs (dispatch, ci-relay) are superseded agent-orchestration runs, not quality gates — an earlier identical dispatch run succeeded and the dev-lead agent posted no-changes results. mergeStateStatus is BEHIND main; auto-rebase applies.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
|
Note @don-petry I received your request but all AI engines are currently rate-limited. I'll retry automatically once the rate limit clears. |
Dev-Lead — rate-limited (intent: review-changes)PR: #1014 |
Dev-Lead — review-changes (applied)Changes committed and pushed. |
Dev-Lead — waiting on PR blockers (intent: review-changes)PR: #1014 |
|
Note @don-petry I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically. |
Dev-Lead — review-changes (applied)Changes committed and pushed. |
80c2bcb
Dev-Lead — waiting on PR blockers (intent: review-changes)PR: #1014 |
|
Note @don-petry I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: 80c2bcb5f61e119ed6ba0f306cb66c7da5a4c774
Review mode: triage-approved (single reviewer)
Summary
Seeds .gitleaks.toml as a repo-template baseline file (fetched verbatim from standards/gitleaks.toml) and generalizes _emit_baseline to support fetch: sources with fail-loud handling for empty/unknown sources. Companion to petry-projects/.github#578 whose secret-scan job requires this config. Well-tested (verbatim fetch, fail-loud, e2e seeding, drift-guard coverage), all CI green.
Linked issue analysis
No closing issue linked. PR is part of the repo-template initiative (epic #964, related to petry-projects/.github#575) and is a companion to petry-projects/.github#578, which adds the secret-scan CI job that fails file-not-found without this config. The PR substantively delivers its stated scope: manifest entry, generalized fetch source, drift-guard coverage, and tests.
Findings
- No security issues: the fetch path comes from the readonly hardcoded BASELINE_MANIFEST (no user-controlled input); unknown sources and empty fetch: paths fail loud (return 2), empty fetched content fails (return 1).
- Prior bot findings all addressed: gemini duplication comment (resolved), Copilot empty-fetch-path comment (resolved — explicit empty-path guard added), Copilot drift-guard gap (thread not marked resolved on GitHub, but verifiably fixed at the reviewed head: .gitleaks.toml added to TEMPLATE_DRIFT_FILES in scripts/template_stub_drift.sh plus a covered-set test assertion in tests/template_stub_drift.bats).
- Secret-scan MCP tool unavailable in this run; the gitleaks CI check passed on this head.
- Branch is BEHIND base but MERGEABLE; auto-rebase automation applies.
CI status
All checks green: shellcheck, ShellCheck, bats, unit-tests, Lint, template-drift, holdout-guard, guard, Secret scan (gitleaks), CodeQL (actions + python), SonarCloud, Agent Security Scan, agent-shield, gh-aw-compile, validate-agent-profiles, CodeRabbit. Dependency-audit jobs skipped (no matching ecosystems). The cancelled/in-progress 'review / review' entries are this review workflow itself.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
|
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: 80c2bcb5f61e119ed6ba0f306cb66c7da5a4c774
Review mode: triage-approved (single reviewer)
Summary
Adds .gitleaks.toml to the repo-template baseline set, fetched verbatim from the canonical standards/gitleaks.toml in petry-projects/.github. Generalizes _emit_baseline to support the documented fetch: source form with fail-loud handling for empty paths and unknown sources (previously an unknown source silently fell through to the Dependabot fetch). Adds the file to the template drift guard (TEMPLATE_DRIFT_FILES) and covers everything with bats tests (verbatim fetch, fail-loud on missing standards file, baseline-set listing, seeding e2e). Companion to petry-projects/.github#578, which adds the secret-scan CI job that requires this config.
Linked issue analysis
No formal closing issue (PR is 'Part of' the secret-scan/required-check work under epic #964, companion to petry-projects/.github#578). The PR's stated purpose — seed the gitleaks config so the companion secret-scan job does not fail file-not-found — is substantively delivered by the diff, including drift protection against manual edits in repo-template.
Findings
- No blocking findings.
- Security note: the seeded .gitleaks.toml is copied verbatim from the canonical standards source (not authored here); no scanner rules or allowlists are modified in this PR, and the drift guard now fails CI on any manual edit of the seeded copy. Error paths fail loud rather than emitting empty/wrong content — a robustness improvement over the prior silent Dependabot fallthrough.
- One formally-unresolved Copilot review thread (drift-guard coverage for .gitleaks.toml) is substantively fixed at the reviewed head: entry added at scripts/template_stub_drift.sh:55 plus an explicit assertion in tests/template_stub_drift.bats, with owner replies confirming. Bot threads cannot self-resolve; treating as addressed.
- MCP secret-scanning tool not available in this run; the gitleaks CI check on the PR passed, and the diff contains no secret-like content (shell logic and inert test fixtures only).
CI status
All required checks green at the reviewed head: shellcheck/ShellCheck, bats unit-tests, template-drift, Secret scan (gitleaks), CodeQL (actions + python), SonarCloud quality gate passed (0 new issues), agent-shield, holdout-guard, lint, gh-aw-compile. One CANCELLED 'review / review' run is a superseded duplicate (latest completed run succeeded; the in-progress one is this review). mergeStateStatus is BEHIND main — needs a rebase/update before merge but not a review blocker.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
Superseded by automated re-review at 80c2bcb.
Dev-Lead — waiting on PR blockers (intent: fix-reviews)PR: #1014 |



Summary
Seeds a
.gitleaks.tomlat the root of every repo created fromrepo-template, sourced verbatim frompetry-projects/.githubstandards/gitleaks.toml. Companion to petry-projects/.github#578 — that PR adds thesecret-scanjob to the templateci.yml, which runsgitleaks detect --config .gitleaks.tomland fails file-not-found without this config. Land them together.Changes
BASELINE_MANIFEST— add.gitleaks.toml|fetch:standards/gitleaks.toml._emit_baseline— generalize the fetch source: barefetchstays the Dependabot stack special case; newfetch:<standards-path>fetches that path verbatim (the form the manifest header already documented but wasn't implemented). Unknown sources now fail loud..gitleaks.toml; added to the baseline-set list; fixture provisioned + cross-repo write asserted in the seeding e2e. 28/28 seed bats pass,shellcheck --severity=warning -xclean.Verified
Real emit against the live
standards/gitleaks.tomlis byte-identical:Part of #575 (folded-in from closed #1001). Epic #964.
🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
.gitleaks.tomlbaseline file from the standard template source.Bug Fixes
.gitleaks.tomlin template drift checks to surface template differences consistently.Tests
.gitleaks.toml.