diff --git a/.agent-plan.md b/.agent-plan.md index 11c33a4..7f0b346 100644 --- a/.agent-plan.md +++ b/.agent-plan.md @@ -6,11 +6,14 @@ ## Mainline Status -- Last merged PR on main: `#223` (`FIX-DISCOVERY-RUNS-SCHEMA`; refs #150/#152/#156/#184/#186, closed on deploy) — - add the missing `discovery_runs.skipped_query_count` column whose absence was failing every - Supabase run-metadata write and blocking candidate persistence on daily-review runs; a guard test - now asserts every `DiscoveryRun` field maps to a column. Clears the schema break on the - `UNIFY-PR-06` go-live path. Prior: `#220` (`GUARD-PR-SECRET-SCAN`, closes #218) — the three-layer +- Last merged PR on main: `#224` (`FIX-CI-GITLEAKS-STATE-JOBS`) — install gitleaks in the + `setup-denbust-state-job` composite action so the fail-closed `scripts/state-run.sh` secret scan + has its binary on the runner; without it every scheduled state-writing workflow would have failed + at persist on its first scheduled run. The last `UNIFY-PR-06` prerequisite. Prior: `#223` + (`FIX-DISCOVERY-RUNS-SCHEMA`; refs #150/#152/#156/#184/#186, closed on deploy) — add the missing + `discovery_runs.skipped_query_count` column whose absence was failing every Supabase run-metadata + write and blocking candidate persistence on daily-review runs; a guard test now asserts every + `DiscoveryRun` field maps to a column. Earlier: `#220` (`GUARD-PR-SECRET-SCAN`, closes #218) — the three-layer [gitleaks](https://github.com/gitleaks/gitleaks) secret-scan guard (the outer defense following the seed-time leak incident below): a shared `.gitleaks.toml`, a `pre-commit` pre-push hook, a fail-closed `scripts/state-run.sh` scan before each state push, and a Claude Code @@ -360,6 +363,14 @@ `supabase/migrations/20260616_discovery_runs_skipped_query_count.sql` plus a regression test and a guard test asserting every `DiscoveryRun` field maps to a `discovery_runs` column. Clears the schema break that would otherwise fail the `UNIFY-PR-06` go-live dispatch. +- [done] `FIX-CI-GITLEAKS-STATE-JOBS` (#224): install gitleaks in the `setup-denbust-state-job` composite + action so the fail-closed `scripts/state-run.sh` secret scan has its binary on the runner. After + `GUARD-PR-SECRET-SCAN` (#220), state-run refuses to push when gitleaks is absent; only `ci-test.yml` + installed it, so all eight scheduled state-writing workflows (discover, daily/weekly state-run, + backfill-discover/scrape, monthly-report, backup, release) would have failed at persist on their + first scheduled run. Pinned to v8.30.1 to match `.gitleaks.toml`. (`state-repo-squash` uses + `state-squash.sh`, which does not scan, so it is unaffected.) Prerequisite for the `UNIFY-PR-06` + go-live dispatch. - [next] `UNIFY-PR-06` (operational, go-live): the state repo is **seeded** (key-scrubbed after the incident below) with the recovered core state from local `data/news_items` (27,568 candidates + queues/attempts/verdicts/budget/yield + backfill_batches/runs/metrics; excluded: prefilter models diff --git a/.github/actions/setup-denbust-state-job/action.yml b/.github/actions/setup-denbust-state-job/action.yml index 29f7dbd..c176bfe 100644 --- a/.github/actions/setup-denbust-state-job/action.yml +++ b/.github/actions/setup-denbust-state-job/action.yml @@ -28,6 +28,17 @@ runs: python -m pip install --upgrade pip python -m pip install -e ".[dev]" + # Required by scripts/state-run.sh, which fails closed (refuses to push) if + # gitleaks is missing. Every state-writing job runs through state-run, so the + # binary must be present on the runner. Pinned to match .gitleaks.toml's rev. + - name: Install gitleaks + shell: bash + run: | + VERSION=8.30.1 + curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \ + | sudo tar -xz -C /usr/local/bin gitleaks + gitleaks version + - name: Install Playwright Chromium if: ${{ inputs.install-playwright == 'true' }} shell: bash