CI: secrets-scan#83
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bc2f19c86b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: gitleaks/gitleaks-action@v2 |
There was a problem hiding this comment.
Pass GITHUB_TOKEN to the gitleaks action
For pull_request runs, gitleaks/gitleaks-action@v2 exits before scanning when process.env.GITHUB_TOKEN is unset; I checked the v2 action source, which logs that GITHUB_TOKEN is now required to scan pull requests and calls process.exit(1). This workflow triggers on pull requests but does not provide the token in the step env, so every PR scan will fail before checking for leaks; add env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} on this step.
Useful? React with 👍 / 👎.
| scan: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 |
There was a problem hiding this comment.
Fetch full history before running the scan
actions/checkout fetches only the triggering commit by default, but the v2 gitleaks action builds git log ranges such as baseRef^..headRef from the first/last PR commits and its own usage example sets fetch-depth: 0. On pull requests (and multi-commit pushes), those commits are often not present in a depth-1 checkout, so the scan can error out or miss the intended range; configure this checkout step with fetch-depth: 0.
Useful? React with 👍 / 👎.
| - uses: actions/checkout@v4 | ||
| - uses: gitleaks/gitleaks-action@v2 | ||
| with: | ||
| config-path: .gitleaks.toml |
There was a problem hiding this comment.
WARNING: config-path: .gitleaks.toml references a config file that does not exist in the repo
The workflow sets config-path: .gitleaks.toml, but no such file exists at the repo root (confirmed: no .gitleaks.toml is present in the tree). gitleaks-action passes --config .gitleaks.toml to gitleaks, which fails with failed to load config: open .gitleaks.toml: no such file or directory. As a result the scan step errors on every run and the secret-scanning feature never actually runs.
Fix by either committing a .gitleaks.toml, or removing the config-path input so the action falls back to its bundled default config.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
Code Review SummaryStatus: 1 New Issue Found (3 total open) | Recommendation: Address before merge Overview
Issue Details (click to expand)WARNING
Files Reviewed (1 file)
Reviewed by hy3-20260706:free · Input: 59K · Output: 7.1K · Cached: 225.1K |
Adds gitleaks secret scanning Action.