Skip to content

feat(leak-scan): add exclude-paths input for pr-diff mode#55

Merged
jorisjonkers-dev-agents[bot] merged 1 commit into
mainfrom
feat/leak-scan-exclude-paths
Jul 9, 2026
Merged

feat(leak-scan): add exclude-paths input for pr-diff mode#55
jorisjonkers-dev-agents[bot] merged 1 commit into
mainfrom
feat/leak-scan-exclude-paths

Conversation

@jorisjonkers-dev-agents

Copy link
Copy Markdown
Contributor

Summary

  • Adds exclude-paths input (space-separated path prefixes) to the leak-scan composite action and the leak-scan.yml reusable workflow
  • In pr-diff mode, files whose paths start with any excluded prefix are filtered from the changed-file list before the deny-list scan and before gitleaks runs
  • Excluded file count is emitted as a ::notice:: annotation for auditability

Motivation

homelab-deploy's Pipeline needs to commit .internal-context/cluster-context-internal.yml (containing node IPs) into PR branches so the compose gate can access it without needing a cross-repo GHCR token. This file is intentionally visibility: internal, already validated by homelab-inventory's assert-leak-boundary. Excluding it from the homelab-deploy leak scan avoids a false positive while preserving all other scanning.

Allows callers to exclude specific path prefixes from the pr-diff
deny-list scan. Used by homelab-deploy to exclude .internal-context/
which is intentionally classified visibility=internal by homelab-
inventory's assert-leak-boundary and contains node IPs by design.
@jorisjonkers-dev-agents jorisjonkers-dev-agents Bot merged commit c8c23b5 into main Jul 9, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants