Migration tenders-finder

[KrishnaAgarwal7531]

No description provided.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: ed111db4-d432-47d9-8e71-0dc5f012eb8c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[simantak-dabhade]

🚨 Security: real API key committed — merge blocked

This PR commits a real TinyFish API key in tenders-finder/.env.local (introduced in commit 8627508). Since your fork is public, the key must be treated as compromised.

I've flagged this to @simantak-dabhade. Before any further review happens, please do the following, in order:

1. Rotate the key immediately in the TinyFish dashboard and send Simantak a screenshot of the rotation as proof.
2. Delete tenders-finder/.env.local from the branch.
3. Add a .gitignore at tenders-finder/.gitignore (and ideally fix the missing root-level one) covering at minimum:

   .env
   .env.local
   node_modules/
   .next/
   

4. Force-push the branch with the offending commit rewritten so the key is not in git history. Options:
   • git reset --soft <parent-of-8627508> → re-stage without the secret → recommit → git push --force-with-lease
   • Or git filter-repo --path tenders-finder/.env.local --invert-paths then force-push

Note for context: TruffleHog ran and passed because it doesn't ship a detector for the sk-mino- prefix yet. Absence of a TruffleHog finding is not the same as "no leaked secret." Always double-check with git ls-files | grep -E '\.env(\.|$)' before pushing.

Once the key is rotated, .env.local is gone from the branch history, and Simantak has your screenshot, I'll proceed with the full migration review.

[simantak-dabhade]

Status update: @simantak-dabhade has confirmed the key was rotated. The exposed sk-mino-t0y8BUE216q0n4T7Jsm7MAXdNNbIGvYv is now dead.

Still need to complete the cleanup before review can continue:

1. ✅ Rotate the key (done by @simantak-dabhade)
2. Delete tenders-finder/.env.local from the branch.
3. Add tenders-finder/.gitignore covering at least:

   .env
   .env.local
   .env.*.local
   node_modules/
   .next/
   

4. Force-push to rewrite history so the key isn't in the branch log:

   git reset --soft HEAD~1
   git restore --staged tenders-finder/.env.local
   rm tenders-finder/.env.local
   # recommit the rest
   git commit -m "Migration tenders-finder"
   git push --force-with-lease

Heads-up: the same key was committed again in PR #147 two days later, so please adjust your local workflow to prevent a third occurrence — e.g., git diff --cached --name-only | grep -E '\.env($|\.)' before every push, or a personal pre-commit hook.

Once .env.local is gone from history and the .gitignore is in, I'll proceed with the full migration review.