🚀 releasing version 3.4.0 @ 2026-04-07 16:06

[skip ci]

Author: monty-bot

CHANGELOG.md

@@ -17,6 +17,22 @@ This project was forked from version 1.7.4 of [mbed-tools-ci-scripts](https://gi
 
 [//]: # (begin_release_notes)
 
+"3.4.0" (2026-04-07)
+====================
+
+Features
+--------
+
+- :sparkles: add `cd-detect-secrets` to check tracked files against the recorded [detect-secrets](https://github.com/Yelp/detect-secrets) registry so new secrets are not introduced into the repository (#20260407160538)
+- :sparkles: add `cd-record-secrets` to record acceptable findings in the repository secret registry using [detect-secrets](https://github.com/Yelp/detect-secrets) so known safe values are not flagged repeatedly (#20260407160539)
+
+
+Bugfixes
+--------
+
+- Dependency upgrade: checkout-6.0.2 (#20260403063309)
+
+
 "3.3.0" (2026-04-02)
 ====================
 

continuous_delivery_scripts/_version.py

@@ -11,8 +11,8 @@
 This file is autogenerated, do not modify by hand.
 """
 
-__version__ = "3.3.0"
-COMMIT = "0bb13bc2abd9af0d72e709afd285d977cc06d8ba"
+__version__ = "3.4.0"
+COMMIT = "593860a336acbead96e80e1a5c55aee240dbf97e"
 MAJOR = 3
-MINOR = 3
+MINOR = 4
 PATCH = 0

docs/detect_secrets.html

@@ -0,0 +1,231 @@
+<!--
+-- Copyright (C) 2020-2026 Arm Limited or its affiliates and Contributors. All rights reserved.
+-- SPDX-License-Identifier: Apache-2.0
+-->
+<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1" />
+<meta name="generator" content="pdoc 0.10.0" />
+<title>continuous_delivery_scripts.detect_secrets API documentation</title>
+<meta name="description" content="Check tracked files against the project&#39;s recorded secret registry." />
+<link rel="preload stylesheet" as="style" href="https://cdnjs.cloudflare.com/ajax/libs/10up-sanitize.css/11.0.1/sanitize.min.css" integrity="sha256-PK9q560IAAa6WVRRh76LtCaI8pjTJ2z11v0miyNNjrs=" crossorigin>
+<link rel="preload stylesheet" as="style" href="https://cdnjs.cloudflare.com/ajax/libs/10up-sanitize.css/11.0.1/typography.min.css" integrity="sha256-7l/o7C8jubJiy74VsKTidCy1yBkRtiUGbVkYBylBqUg=" crossorigin>
+<link rel="stylesheet preload" as="style" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.1/styles/github.min.css" crossorigin>
+<style>:root{--highlight-color:#fe9}.flex{display:flex !important}body{line-height:1.5em}#content{padding:20px}#sidebar{padding:30px;overflow:hidden}#sidebar > *:last-child{margin-bottom:2cm}.http-server-breadcrumbs{font-size:130%;margin:0 0 15px 0}#footer{font-size:.75em;padding:5px 30px;border-top:1px solid #ddd;text-align:right}#footer p{margin:0 0 0 1em;display:inline-block}#footer p:last-child{margin-right:30px}h1,h2,h3,h4,h5{font-weight:300}h1{font-size:2.5em;line-height:1.1em}h2{font-size:1.75em;margin:1em 0 .50em 0}h3{font-size:1.4em;margin:25px 0 10px 0}h4{margin:0;font-size:105%}h1:target,h2:target,h3:target,h4:target,h5:target,h6:target{background:var(--highlight-color);padding:.2em 0}a{color:#058;text-decoration:none;transition:color .3s ease-in-out}a:hover{color:#e82}.title code{font-weight:bold}h2[id^="header-"]{margin-top:2em}.ident{color:#900}pre code{background:#f8f8f8;font-size:.8em;line-height:1.4em}code{background:#f2f2f1;padding:1px 4px;overflow-wrap:break-word}h1 code{background:transparent}pre{background:#f8f8f8;border:0;border-top:1px solid #ccc;border-bottom:1px solid #ccc;margin:1em 0;padding:1ex}#http-server-module-list{display:flex;flex-flow:column}#http-server-module-list div{display:flex}#http-server-module-list dt{min-width:10%}#http-server-module-list p{margin-top:0}.toc ul,#index{list-style-type:none;margin:0;padding:0}#index code{background:transparent}#index h3{border-bottom:1px solid #ddd}#index ul{padding:0}#index h4{margin-top:.6em;font-weight:bold}@media (min-width:200ex){#index .two-column{column-count:2}}@media (min-width:300ex){#index .two-column{column-count:3}}dl{margin-bottom:2em}dl dl:last-child{margin-bottom:4em}dd{margin:0 0 1em 3em}#header-classes + dl > dd{margin-bottom:3em}dd dd{margin-left:2em}dd p{margin:10px 0}.name{background:#eee;font-weight:bold;font-size:.85em;padding:5px 10px;display:inline-block;min-width:40%}.name:hover{background:#e0e0e0}dt:target .name{background:var(--highlight-color)}.name > span:first-child{white-space:nowrap}.name.class > span:nth-child(2){margin-left:.4em}.inherited{color:#999;border-left:5px solid #eee;padding-left:1em}.inheritance em{font-style:normal;font-weight:bold}.desc h2{font-weight:400;font-size:1.25em}.desc h3{font-size:1em}.desc dt code{background:inherit}.source summary,.git-link-div{color:#666;text-align:right;font-weight:400;font-size:.8em;text-transform:uppercase}.source summary > *{white-space:nowrap;cursor:pointer}.git-link{color:inherit;margin-left:1em}.source pre{max-height:500px;overflow:auto;margin:0}.source pre code{font-size:12px;overflow:visible}.hlist{list-style:none}.hlist li{display:inline}.hlist li:after{content:',\2002'}.hlist li:last-child:after{content:none}.hlist .hlist{display:inline;padding-left:1em}img{max-width:100%}td{padding:0 .5em}.admonition{padding:.1em .5em;margin-bottom:1em}.admonition-title{font-weight:bold}.admonition.note,.admonition.info,.admonition.important{background:#aef}.admonition.todo,.admonition.versionadded,.admonition.tip,.admonition.hint{background:#dfd}.admonition.warning,.admonition.versionchanged,.admonition.deprecated{background:#fd4}.admonition.error,.admonition.danger,.admonition.caution{background:lightpink}</style>
+<style media="screen and (min-width: 700px)">@media screen and (min-width:700px){#sidebar{width:30%;height:100vh;overflow:auto;position:sticky;top:0}#content{width:70%;max-width:100ch;padding:3em 4em;border-left:1px solid #ddd}pre code{font-size:1em}.item .name{font-size:1em}main{display:flex;flex-direction:row-reverse;justify-content:flex-end}.toc ul ul,#index ul{padding-left:1.5em}.toc > ul > li{margin-top:.5em}}</style>
+<style media="print">@media print{#sidebar h1{page-break-before:always}.source{display:none}}@media print{*{background:transparent !important;color:#000 !important;box-shadow:none !important;text-shadow:none !important}a[href]:after{content:" (" attr(href) ")";font-size:90%}a[href][title]:after{content:none}abbr[title]:after{content:" (" attr(title) ")"}.ir a:after,a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100% !important}@page{margin:0.5cm}p,h2,h3{orphans:3;widows:3}h1,h2,h3,h4,h5,h6{page-break-after:avoid}}</style>
+<script defer src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.1/highlight.min.js" integrity="sha256-Uv3H6lx7dJmRfRvH8TH6kJD1TSK1aFcwgx+mdg3epi8=" crossorigin></script>
+<script>window.addEventListener('DOMContentLoaded', () => hljs.initHighlighting())</script>
+</head>
+<body>
+<main>
+<article id="content">
+<header>
+<h1 class="title">Module <code>continuous_delivery_scripts.detect_secrets</code></h1>
+</header>
+<section id="section-intro">
+<p>Check tracked files against the project's recorded secret registry.</p>
+<details class="source">
+<summary>
+<span>Expand source code</span>
+</summary>
+<pre><code class="python">#
+# Copyright (C) 2020-2026 Arm Limited or its affiliates and Contributors. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+&#34;&#34;&#34;Check tracked files against the project&#39;s recorded secret registry.&#34;&#34;&#34;
+
+import argparse
+import logging
+import subprocess
+import sys
+from pathlib import Path
+from typing import List, Optional
+
+from continuous_delivery_scripts.update_secrets_registry import (
+    _determine_exclude_files,
+    _get_secrets_baseline_file,
+    _get_secrets_baseline_filename,
+)
+from continuous_delivery_scripts.utils.git_helpers import ProjectGitWrapper
+from continuous_delivery_scripts.utils.logging import log_exception, set_log_level
+
+logger = logging.getLogger(__name__)
+
+
+def _generate_detect_secrets_hook_command_list(
+    baseline_file: Path, exclude_files: List[str], tracked_files: List[str]
+) -&gt; List[str]:
+    command = [&#34;detect-secrets-hook&#34;, &#34;--baseline&#34;, str(baseline_file)]
+    for exclude_file in exclude_files:
+        command.extend([&#34;--exclude-files&#34;, exclude_file])
+    command.extend(tracked_files)
+    return command
+
+
+def _filter_tracked_files(tracked_files: List[str], project_root: Path, registry_file: Path) -&gt; List[str]:
+    &#34;&#34;&#34;Remove the registry file from tracked files to avoid scanning recorded accepted findings.&#34;&#34;&#34;
+    try:
+        registry_relative_path = registry_file.relative_to(project_root).as_posix()
+    except ValueError:
+        return tracked_files
+    return [path for path in tracked_files if path != registry_relative_path]
+
+
+def detect_secrets(baseline_file: Optional[Path] = None) -&gt; None:
+    &#34;&#34;&#34;Check tracked files so new secrets are not introduced.&#34;&#34;&#34;
+    git = ProjectGitWrapper()
+    project_root = Path(str(git.root))
+    resolved_baseline = _get_secrets_baseline_file(baseline_file)
+    tracked_files = _filter_tracked_files(git.list_tracked_files(), project_root, resolved_baseline)
+    if not tracked_files:
+        logger.info(&#34;No tracked files found for detect-secrets.&#34;)
+        return
+    subprocess.check_call(
+        _generate_detect_secrets_hook_command_list(resolved_baseline, _determine_exclude_files(), tracked_files),
+        cwd=str(project_root),
+    )
+
+
+def main() -&gt; int:
+    &#34;&#34;&#34;Script CLI.&#34;&#34;&#34;
+    parser = argparse.ArgumentParser(
+        description=(
+            &#34;Check tracked files against the recorded secret registry so new secrets are not committed. &#34;
+            &#34;This uses Yelp detect-secrets (https://github.com/Yelp/detect-secrets).&#34;
+        )
+    )
+    parser.add_argument(
+        &#34;-r&#34;,
+        &#34;--registry-file&#34;,
+        default=Path(_get_secrets_baseline_filename()),
+        help=&#34;Secret registry file to use.&#34;,
+        type=Path,
+    )
+    parser.add_argument(
+        &#34;-v&#34;,
+        &#34;--verbose&#34;,
+        action=&#34;count&#34;,
+        default=0,
+        help=&#34;Verbosity, by default errors are reported.&#34;,
+    )
+    args = parser.parse_args()
+    set_log_level(args.verbose)
+
+    try:
+        detect_secrets(args.registry_file)
+        return 0
+    except Exception as e:
+        log_exception(logger, e)
+        return 1
+
+
+if __name__ == &#34;__main__&#34;:
+    sys.exit(main())</code></pre>
+</details>
+</section>
+<section>
+</section>
+<section>
+</section>
+<section>
+<h2 class="section-title" id="header-functions">Functions</h2>
+<dl>
+<dt id="continuous_delivery_scripts.detect_secrets.detect_secrets"><code class="name flex">
+<span>def <span class="ident">detect_secrets</span></span>(<span>baseline_file: Optional[pathlib.Path] = None) ‑> None</span>
+</code></dt>
+<dd>
+<div class="desc"><p>Check tracked files so new secrets are not introduced.</p></div>
+<details class="source">
+<summary>
+<span>Expand source code</span>
+</summary>
+<pre><code class="python">def detect_secrets(baseline_file: Optional[Path] = None) -&gt; None:
+    &#34;&#34;&#34;Check tracked files so new secrets are not introduced.&#34;&#34;&#34;
+    git = ProjectGitWrapper()
+    project_root = Path(str(git.root))
+    resolved_baseline = _get_secrets_baseline_file(baseline_file)
+    tracked_files = _filter_tracked_files(git.list_tracked_files(), project_root, resolved_baseline)
+    if not tracked_files:
+        logger.info(&#34;No tracked files found for detect-secrets.&#34;)
+        return
+    subprocess.check_call(
+        _generate_detect_secrets_hook_command_list(resolved_baseline, _determine_exclude_files(), tracked_files),
+        cwd=str(project_root),
+    )</code></pre>
+</details>
+</dd>
+<dt id="continuous_delivery_scripts.detect_secrets.main"><code class="name flex">
+<span>def <span class="ident">main</span></span>(<span>) ‑> int</span>
+</code></dt>
+<dd>
+<div class="desc"><p>Script CLI.</p></div>
+<details class="source">
+<summary>
+<span>Expand source code</span>
+</summary>
+<pre><code class="python">def main() -&gt; int:
+    &#34;&#34;&#34;Script CLI.&#34;&#34;&#34;
+    parser = argparse.ArgumentParser(
+        description=(
+            &#34;Check tracked files against the recorded secret registry so new secrets are not committed. &#34;
+            &#34;This uses Yelp detect-secrets (https://github.com/Yelp/detect-secrets).&#34;
+        )
+    )
+    parser.add_argument(
+        &#34;-r&#34;,
+        &#34;--registry-file&#34;,
+        default=Path(_get_secrets_baseline_filename()),
+        help=&#34;Secret registry file to use.&#34;,
+        type=Path,
+    )
+    parser.add_argument(
+        &#34;-v&#34;,
+        &#34;--verbose&#34;,
+        action=&#34;count&#34;,
+        default=0,
+        help=&#34;Verbosity, by default errors are reported.&#34;,
+    )
+    args = parser.parse_args()
+    set_log_level(args.verbose)
+
+    try:
+        detect_secrets(args.registry_file)
+        return 0
+    except Exception as e:
+        log_exception(logger, e)
+        return 1</code></pre>
+</details>
+</dd>
+</dl>
+</section>
+<section>
+</section>
+</article>
+<nav id="sidebar">
+<h1>Index</h1>
+<div class="toc">
+<ul></ul>
+</div>
+<ul id="index">
+<li><h3>Super-module</h3>
+<ul>
+<li><code><a title="continuous_delivery_scripts" href="index.html">continuous_delivery_scripts</a></code></li>
+</ul>
+</li>
+<li><h3><a href="#header-functions">Functions</a></h3>
+<ul class="">
+<li><code><a title="continuous_delivery_scripts.detect_secrets.detect_secrets" href="#continuous_delivery_scripts.detect_secrets.detect_secrets">detect_secrets</a></code></li>
+<li><code><a title="continuous_delivery_scripts.detect_secrets.main" href="#continuous_delivery_scripts.detect_secrets.main">main</a></code></li>
+</ul>
+</li>
+</ul>
+</nav>
+</main>
+<footer id="footer">
+<p>Generated by <a href="https://pdoc3.github.io/pdoc" title="pdoc: Python API documentation generator"><cite>pdoc</cite> 0.10.0</a>.</p>
+</footer>
+</body>
+</html>

docs/index.html

@@ -51,6 +51,10 @@ <h2 class="section-title" id="header-submodules">Sub-modules</h2>
 <dd>
 <div class="desc"><p>Easy news files generation …</p></div>
 </dd>
+<dt><code class="name"><a title="continuous_delivery_scripts.detect_secrets" href="detect_secrets.html">continuous_delivery_scripts.detect_secrets</a></code></dt>
+<dd>
+<div class="desc"><p>Check tracked files against the project's recorded secret registry.</p></div>
+</dd>
 <dt><code class="name"><a title="continuous_delivery_scripts.generate_docs" href="generate_docs.html">continuous_delivery_scripts.generate_docs</a></code></dt>
 <dd>
 <div class="desc"><p>Generates documentation.</p></div>
@@ -91,6 +95,10 @@ <h2 class="section-title" id="header-submodules">Sub-modules</h2>
 <dd>
 <div class="desc"><p>Orchestrates release process.</p></div>
 </dd>
+<dt><code class="name"><a title="continuous_delivery_scripts.update_secrets_registry" href="update_secrets_registry.html">continuous_delivery_scripts.update_secrets_registry</a></code></dt>
+<dd>
+<div class="desc"><p>Record the project's accepted secret registry using detect-secrets.</p></div>
+</dd>
 <dt><code class="name"><a title="continuous_delivery_scripts.utils" href="utils/index.html">continuous_delivery_scripts.utils</a></code></dt>
 <dd>
 <div class="desc"><p>Utility scripts to abstract and assist with scripts run in the CI.</p></div>
@@ -114,6 +122,7 @@ <h1>Index</h1>
 <ul>
 <li><code><a title="continuous_delivery_scripts.assert_news" href="assert_news.html">continuous_delivery_scripts.assert_news</a></code></li>
 <li><code><a title="continuous_delivery_scripts.create_news_file" href="create_news_file.html">continuous_delivery_scripts.create_news_file</a></code></li>
+<li><code><a title="continuous_delivery_scripts.detect_secrets" href="detect_secrets.html">continuous_delivery_scripts.detect_secrets</a></code></li>
 <li><code><a title="continuous_delivery_scripts.generate_docs" href="generate_docs.html">continuous_delivery_scripts.generate_docs</a></code></li>
 <li><code><a title="continuous_delivery_scripts.generate_news" href="generate_news.html">continuous_delivery_scripts.generate_news</a></code></li>
 <li><code><a title="continuous_delivery_scripts.get_config" href="get_config.html">continuous_delivery_scripts.get_config</a></code></li>
@@ -124,6 +133,7 @@ <h1>Index</h1>
 <li><code><a title="continuous_delivery_scripts.report_third_party_ip" href="report_third_party_ip.html">continuous_delivery_scripts.report_third_party_ip</a></code></li>
 <li><code><a title="continuous_delivery_scripts.spdx_report" href="spdx_report/index.html">continuous_delivery_scripts.spdx_report</a></code></li>
 <li><code><a title="continuous_delivery_scripts.tag_and_release" href="tag_and_release.html">continuous_delivery_scripts.tag_and_release</a></code></li>
+<li><code><a title="continuous_delivery_scripts.update_secrets_registry" href="update_secrets_registry.html">continuous_delivery_scripts.update_secrets_registry</a></code></li>
 <li><code><a title="continuous_delivery_scripts.utils" href="utils/index.html">continuous_delivery_scripts.utils</a></code></li>
 </ul>
 </li>

docs/plugins/basic.html

@@ -254,6 +254,7 @@ <h3>Inherited members</h3>
 <ul class="hlist">
 <li><code><a title="continuous_delivery_scripts.utils.language_specifics_base.BaseLanguage.can_get_project_metadata" href="../utils/language_specifics_base.html#continuous_delivery_scripts.utils.language_specifics_base.BaseLanguage.can_get_project_metadata">can_get_project_metadata</a></code></li>
 <li><code><a title="continuous_delivery_scripts.utils.language_specifics_base.BaseLanguage.generate_source_licence_header_template" href="../utils/language_specifics_base.html#continuous_delivery_scripts.utils.language_specifics_base.BaseLanguage.generate_source_licence_header_template">generate_source_licence_header_template</a></code></li>
+<li><code><a title="continuous_delivery_scripts.utils.language_specifics_base.BaseLanguage.get_secret_registry_exclude_files" href="../utils/language_specifics_base.html#continuous_delivery_scripts.utils.language_specifics_base.BaseLanguage.get_secret_registry_exclude_files">get_secret_registry_exclude_files</a></code></li>
 <li><code><a title="continuous_delivery_scripts.utils.language_specifics_base.BaseLanguage.get_version_tag" href="../utils/language_specifics_base.html#continuous_delivery_scripts.utils.language_specifics_base.BaseLanguage.get_version_tag">get_version_tag</a></code></li>
 <li><code><a title="continuous_delivery_scripts.utils.language_specifics_base.BaseLanguage.should_clean_before_packaging" href="../utils/language_specifics_base.html#continuous_delivery_scripts.utils.language_specifics_base.BaseLanguage.should_clean_before_packaging">should_clean_before_packaging</a></code></li>
 <li><code><a title="continuous_delivery_scripts.utils.language_specifics_base.BaseLanguage.should_include_spdx_in_package" href="../utils/language_specifics_base.html#continuous_delivery_scripts.utils.language_specifics_base.BaseLanguage.should_include_spdx_in_package">should_include_spdx_in_package</a></code></li>