fix: include workflow files in secret scan gate

[seonghobae]

Motivation

• Restore secret-scanning coverage for GitHub Actions workflow YAMLs because the previous exclusion of .github/workflows/** created a blind spot that could allow credentials in workflow files to bypass the hardcoded-secret gate.

Description

• Removed the explicit workflow-path exclusion from .github/workflows/secret-scan-gate.yml so .github/workflows/** is scanned again and updated the hardcoded-secret regex literals to safe character-class forms to avoid self-matching while preserving detection behavior (g[h]p_, A[K]IA, A[I]za, R[S]A, E[C], OPENS[S]H).
• The only file changed is .github/workflows/secret-scan-gate.yml and the scan still excludes package-lock.json and node_modules/** to limit expected false positives.

Testing

• Ran the git grep -nE '(g[h]p_|g[h]o_|A[K]IA[0-9A-Z]{16}|A[I]za[0-9A-Za-z\-_]{35}|BEGIN (R[S]A|E[C]|OPENS[S]H|PGP) PRIVATE KEY)' -- . ':(exclude)package-lock.json' ':(exclude)node_modules/**' scan which returned exit code 1 indicating no matches in the current tree.
• Ran python3 scripts/checks/verify_supply_chain.py which completed successfully and reported the supply-chain verification passed.

---

Codex Task

📝 Walkthrough

Walkthrough

시크릿 스캔 게이트 워크플로우의 git grep 명령이 수정되었습니다. 정규식 패턴이 괄호 문자 클래스를 사용하도록 변경되고, 경로 제외 규칙이 단순화되었습니다. .github/workflows/** 제외 규칙이 제거되었습니다.

Changes

Cohort / File(s)	Summary
Secret Scan Workflow Configuration .github/workflows/secret-scan-gate.yml	Git grep 정규식 패턴을 괄호 문자 클래스(예: g[h]p_, A[K]IA)로 변경하고, 경로 제외 규칙을 단순화(.github/workflows/** 제외 제거)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 깊고 깊은 비밀들을 찾아내고,
대괄호로 더욱 영리하게 변신하고,
경로를 정리하여 깔끔하게 정돈하니,
보안의 문이 더욱 튼튼해졌네요!
오케이! 🔐✨

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d74f943e-4cfb-4ea4-bc25-82ecf828838e

📥 Commits

Reviewing files that changed from the base of the PR and between 169f05a and c7a63fd.

📒 Files selected for processing (1)

• .github/workflows/secret-scan-gate.yml

---

📝 Walkthrough

Summary by CodeRabbit

릴리스 노트

• 보안 개선
  • 시크릿 스캔 검사를 강화했습니다. 다양한 형식의 하드코딩된 인증 정보와 개인 키를 더욱 효과적으로 탐지합니다.
  • 워크플로우 파일을 포함하여 저장소 전체에 대한 보안 검사 범위를 확대했습니다.

Walkthrough

시크릿 스캔 게이트 워크플로우의 git grep -nE 정규식이 문자 클래스 형태(예: g[h]p_, A[K]IA)로 변경되었고, 경로 제외 목록에서 .github/workflows/** 항목이 제거되어 제외 규칙이 단순화되었습니다.

Changes

Cohort / File(s)	Summary
Secret Scan Workflow Configuration .github/workflows/secret-scan-gate.yml	git grep -nE 정규식 리터럴들을 문자 클래스/대체형으로 변경(예: ghp_ → g[h]p_, AKIA → A[K]IA), 프라이빗 키 헤더 대안도 문자 클래스 형태로 조정, 경로 제외 목록에서 .github/workflows/** 제거(나머지 제외는 package-lock.json, node_modules/** 유지)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 대괄호로 슬쩍 바꿔서 살펴보고,
숨은 토큰도 튀어나오지 못하네.
불필요한 길은 줄여서 지나가고,
보안의 숲을 깡충깡충 뛰네. 🥕🔎

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	제목은 PR의 주요 변경 사항을 명확하게 요약합니다. 워크플로우 파일을 시크릿 스캔 게이트에 포함하는 것이 핵심 변경 사항이며, 제목이 이를 정확하게 반영합니다.
Description check	✅ Passed	설명은 PR의 변경 사항과 관련이 있습니다. 동기, 변경 내용, 테스트 결과를 포함하여 상세하게 설명되어 있으며 변경 사항과 일관성이 있습니다.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-secret-scan-gate-to-include-workflows

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/secret-scan-gate.yml:
- Line 24: Update the regex fragment "BEGIN (R[S]A|E[C]|OPENS[S]H|PGP) PRIVATE
KEY" used in the git grep command so "PGP" uses the same self-match-avoidance
technique as the others — change "PGP" to "P[G]P" (i.e., "BEGIN
(R[S]A|E[C]|OPENS[S]H|P[G]P) PRIVATE KEY") so the pattern remains functionally
identical but consistent with the other character-class substitutions; ensure
the surrounding command and negation operator (!) are left unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 788069ab-3019-4314-96b6-002a5903255f

📥 Commits

Reviewing files that changed from the base of the PR and between 169f05a and 3f88222.

📒 Files selected for processing (1)

• .github/workflows/secret-scan-gate.yml

[seonghobae]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[seonghobae]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.