fix(gitleaks): add inline allowlist for age public keys

cameronraysmith · cameronraysmith · commit 0cf4f20c5511 · 2025-10-25T22:24:59.000-04:00
Add gitleaks:allow comments to suppress false positives on age public
keys. Age public keys are safe to commit (they're encryption keys, not
secrets), but gitleaks flags them as generic-api-key due to base64-like
format.

Files updated:
- ci-cd-setup.md: CI age key documentation (age public key)
- sops-bootstrap.sh: placeholder age keys for bootstrap detection
diff --git a/packages/docs/src/content/docs/guides/ci-cd-setup.md b/packages/docs/src/content/docs/guides/ci-cd-setup.md
@@ -52,7 +52,7 @@ CI_AGE_KEY: age-secret-key-1... # CI age private key from .sops.yaml
 ```
 
 The `CI_AGE_KEY` should be the private key corresponding to the public key:
-`age1m9m8h5vqr7dqlmvnzcwshmm4uk8umcllazum6eaulkdp3qc88ugs22j3p8`
+`age1m9m8h5vqr7dqlmvnzcwshmm4uk8umcllazum6eaulkdp3qc88ugs22j3p8` <!-- gitleaks:allow - age public key -->
 
 ### 1.5 Encrypt the Secrets File
 
diff --git a/scripts/sops-bootstrap.sh b/scripts/sops-bootstrap.sh
@@ -19,6 +19,7 @@ fi
 CURRENT_KEY=$(grep "^  - &${ROLE} " .sops.yaml | awk '{print $3}')
 
 # Placeholder keys indicate this is a fresh bootstrap
+# gitleaks:allow - age public keys used as placeholders
 if [ "$CURRENT_KEY" = "age1dn8w7y4t4h23fmeenr3dghfz5qh53jcjq9qfv26km3mnv8l44g0sghptu3" ] || \
    [ "$CURRENT_KEY" = "age1m9m8h5vqr7dqlmvnzcwshmm4uk8umcllazum6eaulkdp3qc88ugs22j3p8" ]; then
   IS_ROTATION=false
