Problem
actions/deploy-artifact/run.sh uses an unanchored grep for kind: Secret in its forbidden-kind guard (E_FORBIDDEN_KIND). This over-matches legitimate kinds such as SecretStore and ClusterSecretStore (External Secrets / VSO patterns), producing false-positive rejections.
The identical bug existed in actions/deploy-preview/run.sh and was fixed in #62 by anchoring the pattern to ^kind:[[:space:]]*Secret[[:space:]]*$. The deploy-artifact copy was out of scope there and remains unfixed.
Fix
Apply the same anchored regex in actions/deploy-artifact/run.sh, and add a test mirroring the deploy-preview coverage in tests/test_scorecard.py (a manifest with kind: SecretStore must pass; kind: Secret must fail).
Acceptance
A service rendering a SecretStore/ClusterSecretStore object publishes its deploy artifact without E_FORBIDDEN_KIND; a raw Secret still fails with the file named.
Problem
actions/deploy-artifact/run.shuses an unanchored grep forkind: Secretin its forbidden-kind guard (E_FORBIDDEN_KIND). This over-matches legitimate kinds such asSecretStoreandClusterSecretStore(External Secrets / VSO patterns), producing false-positive rejections.The identical bug existed in
actions/deploy-preview/run.shand was fixed in #62 by anchoring the pattern to^kind:[[:space:]]*Secret[[:space:]]*$. The deploy-artifact copy was out of scope there and remains unfixed.Fix
Apply the same anchored regex in
actions/deploy-artifact/run.sh, and add a test mirroring the deploy-preview coverage intests/test_scorecard.py(a manifest withkind: SecretStoremust pass;kind: Secretmust fail).Acceptance
A service rendering a
SecretStore/ClusterSecretStoreobject publishes its deploy artifact withoutE_FORBIDDEN_KIND; a rawSecretstill fails with the file named.