ce3deb43fa
leak-check.yml has the pattern 'denisparfionovich' as a literal in its grep. On first run after install, it flags itself. Same fix as the local .git/hooks/pre-commit — allowlist the workflow file alongside NOTICE/README. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
36 lines
1.3 KiB
YAML
36 lines
1.3 KiB
YAML
name: leak-check
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
|
|
concurrency:
|
|
group: leak-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
username-paths:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
fetch-depth: 1
|
|
- name: scan tracked files for absolute home paths
|
|
run: |
|
|
set -e
|
|
PATTERN='denisparfionovich|/Users/[a-z]+/Projects/KeiSeiKit-public/'
|
|
# Allowlist: byline files (intentional copyright) + this workflow
|
|
# itself (it contains the pattern as a literal detection rule).
|
|
ALLOWLIST='^(NOTICE|README\.md|\.github/workflows/leak-check\.yml)$'
|
|
hits=$(git ls-files | xargs grep -lE "$PATTERN" 2>/dev/null | grep -vE "$ALLOWLIST" || true)
|
|
if [[ -n "$hits" ]]; then
|
|
echo "::error::username-path leak detected"
|
|
echo "$hits" | sed 's/^/ /'
|
|
echo
|
|
echo "Replace absolute home paths with placeholders:"
|
|
echo " ~/.claude/projects/-Users-<user>/memory/ -> ~/.claude/memory/"
|
|
echo " /Users/<user>/Projects/KeiSeiKit-public/ -> <relative path>"
|
|
exit 1
|
|
fi
|
|
echo "OK: no username-path leaks in tracked files"
|