ci(state): install gitleaks in setup-denbust-state-job (unblocks go-live)#224
Merged
Conversation
… state-run can persist After GUARD-PR-SECRET-SCAN (#220), scripts/state-run.sh fails closed — it refuses to commit/push when gitleaks is absent. gitleaks was installed only in ci-test.yml, not in the composite action every state-writing workflow uses, so the eight scheduled state jobs (discover, daily/weekly state-run, backfill- discover/scrape, monthly-report, backup, release) would all have failed at the persist step on their first scheduled run. Add a pinned (v8.30.1, matching .gitleaks.toml) gitleaks install to the shared setup-denbust-state-job composite action — one place covers all of them. state-repo-squash uses state-squash.sh (no scan) and is unaffected. Unblocks the UNIFY-PR-06 go-live dispatch. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR unblocks upcoming state-writing GitHub Actions runs by ensuring the shared setup-denbust-state-job composite action installs gitleaks, which scripts/state-run.sh requires for its fail-closed secret-scan guard.
Changes:
- Add a pinned
gitleaks(v8.30.1) install step to thesetup-denbust-state-jobcomposite action. - Record the change as a completed item in
.agent-plan.mdto keep the go-live ledger up to date.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/actions/setup-denbust-state-job/action.yml |
Installs gitleaks on state-job runners so state-run’s secret scan can execute before push. |
.agent-plan.md |
Marks the CI/state-job gitleaks installation work item as done in the plan ledger. |
Comment on lines
+31
to
+33
| # Required by scripts/state-run.sh, which fails closed (refuses to push) if | ||
| # gitleaks is missing. Every state-writing job runs through state-run, so the | ||
| # binary must be present on the runner. Pinned to match .gitleaks.toml's rev. |
Comment on lines
+36
to
+40
| run: | | ||
| VERSION=8.30.1 | ||
| curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \ | ||
| | sudo tar -xz -C /usr/local/bin gitleaks | ||
| gitleaks version |
Comment on lines
+368
to
+369
| first scheduled run. Pinned to v8.30.1 to match `.gitleaks.toml`. (`state-repo-squash` uses | ||
| `state-squash.sh`, which does not scan, so it is unaffected.) Prerequisite for the `UNIFY-PR-06` |
This comment has been minimized.
This comment has been minimized.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #224 +/- ##
=======================================
Coverage 92.84% 92.84%
=======================================
Files 84 84
Lines 12337 12337
=======================================
Hits 11454 11454
Misses 883 883 🚀 New features to boost your workflow:
|
|
pr-agent-context report: This run includes unresolved review comments on PR #224.
For each unresolved review comment, recommend one of: resolve as irrelevant, accept and implement
the recommended solution, open a separate issue and resolve as out-of-scope for this PR, accept and
implement a different solution, or resolve as already treated by the code.
After I reply with my decision per item, implement the accepted actions, resolve the corresponding
PR comments, and push all of these changes in a single commit.
# Copilot Comments
## COPILOT-1
Location: .github/actions/setup-denbust-state-job/action.yml:33
URL: https://github.com/DataHackIL/tfht_enforce_idx/pull/224#discussion_r3423875963
Root author: copilot-pull-request-reviewer
Comment:
The comment says gitleaks is “pinned to match .gitleaks.toml's rev”, but `.gitleaks.toml` is a config file and doesn’t define a gitleaks version. Consider referencing the actual version pins (CI / pre-commit) to avoid misleading future edits.
## COPILOT-2
Location: .github/actions/setup-denbust-state-job/action.yml:40
URL: https://github.com/DataHackIL/tfht_enforce_idx/pull/224#discussion_r3423876007
Root author: copilot-pull-request-reviewer
Comment:
The gitleaks install uses a pipeline (`curl | tar`). Adding `set -o pipefail` (and `-e`) makes the step fail reliably if the download fails mid-stream, instead of relying on `tar` to surface the error.
## COPILOT-3
Location: .agent-plan.md:369
URL: https://github.com/DataHackIL/tfht_enforce_idx/pull/224#discussion_r3423876039
Root author: copilot-pull-request-reviewer
Comment:
This entry says the gitleaks pin “matches `.gitleaks.toml`”, but `.gitleaks.toml` is configuration (not a version pin). It’s clearer to reference the actual gitleaks version pins (pre-commit / CI) so future bumps stay consistent.Run metadata: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
A latent go-live blocker introduced by #220.
scripts/state-run.shnow fails closed —scan_state_for_secrets()refuses to commit/push when gitleaks isn't on the runner. But gitleaks was installed only inci-test.yml; thesetup-denbust-state-jobcomposite action — used by every state-writing workflow — never installed it.Because all eight scheduled state jobs are currently
workflow_dispatch-only (pre-go-live), this has been dormant. The momentUNIFY-PR-06flips the schedules on, each of these would run the job and then fail at the persist step withgitleaks not installed — refusing to push state unscanned:news-items-discover,daily-state-run,weekly-state-run,news-items-backfill-discover,news-items-backfill-scrape,news-items-monthly-report,news-items-backup,news-items-release.What
Add a pinned
gitleaksinstall (v8.30.1, matching.gitleaks.toml) to the sharedsetup-denbust-state-jobcomposite action — one place covers all eight consumers. The read-onlynews-items-daily-reviewalso uses the action and gets gitleaks harmlessly (a ~2s download it doesn't use).state-repo-squashusesstate-squash.sh(which does not scan) and is correctly unaffected.Verification
state-run.shuse this composite action → all now have gitleaks.action.ymlparses as valid YAML; install step mirrors the provenci-test.ymlstep.Why now
This is the prerequisite for the
UNIFY-PR-06go-live dispatch — surfaced while scoping that verification run. Until it lands, a schedulednews-items-discoverwould run, search/classify, then refuse to persist. With it, the fail-closed guard has its binary and the dispatch can actually exercise the seeded-state → guarded-state-run → Supabase-persist path.