keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(ci): leak-check allowlists itself (workflow contains pattern as detection rule)

Browse source 
leak-check.yml has the pattern 'denisparfionovich' as a literal in its grep.
On first run after install, it flags itself. Same fix as the local
.git/hooks/pre-commit — allowlist the workflow file alongside NOTICE/README.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Parfii-bot 2026-05-01 20:04:36 +08:00
parent 8fcba39e05
commit f88da09f42
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
.github/workflows/leak-check.yml vendored
View file

@ -20,7 +20,10 @@ jobs:
run: |
set -e
PATTERN='denisparfionovich|/Users/[a-z]+/Projects/KeiSeiKit-public/'
hits=$(git ls-files | xargs grep -lE "$PATTERN" 2>/dev/null | grep -vE '^(NOTICE|README\.md)$' || true)
# Allowlist: byline files (intentional copyright) + this workflow
# itself (it contains the pattern as a literal detection rule).
ALLOWLIST='^(NOTICE|README\.md|\.github/workflows/leak-check\.yml)$'
hits=$(git ls-files | xargs grep -lE "$PATTERN" 2>/dev/null | grep -vE "$ALLOWLIST" || true)
if [[ -n "$hits" ]]; then
echo "::error::username-path leak detected"
echo "$hits" | sed 's/^/ /'