fix(routines): docs-sync relies on the CI gate, not a fetched denylist#39
Merged
Merged
Conversation
The sensitive-value denylist now lives only as the dryvist org Actions secret GITLEAKS_PRIVATE_CONFIG, which the cloud sandbox cannot read (Actions secrets are not exposed to gh API). So the routine no longer fetches/greps a denylist file. Instead it enforces the public/private boundary by the 'Privacy is absolute' judgment, and the docs secret-scan gate (gitleaks-action + the org ruleset) is the authoritative backstop on every draft PR. Removes the fetch step, the fail-closed 'public withheld' path, and the grep self-verify (now a best-effort poll of the gate check). Assisted-by: Claude:claude-opus-4-8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The sensitive-value denylist now lives only as the dryvist org Actions secret
GITLEAKS_PRIVATE_CONFIG(consumed by the docssecret-scan.ymlgate). The Docs Sync cloud sandbox cannot read Actions secrets via theghAPI, so its previous design — fetchdocs-starlight/security/gitleaks-public-docs.tomland grep — no longer has a file to fetch.What
docssecret-scan gate as the authoritative backstop on every draft PR.Depends on
dryvist/docs#50(the gate) anddryvist/docs-starlight#19(drops the committed denylist). Not yet deployed — applies at deploy time.🤖 Generated with Claude Code