Skip to content

Chore/add golangci config migrate step and gitleaks fix #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
duckhawk wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Chore/add golangci config migrate step and gitleaks fix #75

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4860cdd
fix: add golangci-lint config migrate step for v2 compatibility
duckhawk Feb 17, 2026
e176c89
fix: use GOTOOLCHAIN=auto for go.mod version compatibility
duckhawk Feb 17, 2026
2c920f8
gitleaks: add storage modules allowlist paths to base config
duckhawk Feb 26, 2026
26f9d92
gitleaks: remove UUID regex allowlist (use stopword in docs instead)
duckhawk Feb 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 12 additions & 10 deletions gitleaks/config/gitleaks.base.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,36 +1,38 @@
# Centralized Gitleaks configuration for all Deckhouse repositories
# This file is distributed via modules-actions/gitleaks action
#
# Repositories can extend this config by creating local .gitleaks.toml:
#
# CI downloads this to /tmp/gitleaks.base.toml. Repositories can extend it:
# [extend]
# useDefault = false
# path = "/tmp/gitleaks.base.toml"
#
# If no local .gitleaks.toml exists, CI uses this base config only.

# Use default Gitleaks rules
[extend]
useDefault = true

# Global allowlists
# Global allowlists (merged with default config)
[allowlist]

# === Safe files/directories ===
# NOTE: Use exact paths, NOT glob patterns like **/go.mod

paths = [
# Go dependencies - public hashes
"go.mod",
"go.sum",

# Specific files with known false positives
# "modules/101-cert-manager/docs/USAGE.md",
# "modules/101-cert-manager/docs/USAGE_RU.md",

# Storage modules - common allowlist
'''(?:^|/)images/.*patches.*\.patch$''',
'''(?:^|/)test-secret\.txt$''',
'''(?:^|/)e2e/.*''',
'''(?:^|/).*_test\.go$''',
]

# === Safe patterns ===
regexes = [
# Go module checksums - always public
'''h1:[A-Za-z0-9+/=]{40,}''',

# Public certificates (only ca.crt, NOT private keys!)
'''data:\s*\n\s*ca\.crt:\s*[A-Za-z0-9+/=\s]+''',

Expand Down
8 changes: 8 additions & 0 deletions scripts/go_linter.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,14 @@ section_start "install_linter" "Installing golangci-lint@$linter_version"
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b . $linter_version
section_end "install_linter"

# Migrate .golangci config to v2 format if needed (golangci-lint v2 requires version: "2")
for config in .golangci.yaml .golangci.yml; do
if [ -f "$config" ] && ! grep -q 'version:.*"2"' "$config" 2>/dev/null; then
echo "Migrating $config to golangci-lint v2 format..."
./golangci-lint migrate -c "$config" --skip-validation 2>/dev/null || true
fi
done

basedir=$(pwd)
failed='false'

Expand Down
3 changes: 3 additions & 0 deletions scripts/go_test_coverage.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@
# See the License for the specific language governing permissions and
# limitations under the License.

# Fix covdata tool lookup with Go 1.25 toolchain switching
export GOTOOLCHAIN=auto

if [ ! -d "images" ]; then
echo "No images/ directory found. Please run this script from the root of the repository."
exit 1
Expand Down