ci(gitleaks): migrate from custom config to .gitleaksignore allowlist

hyp3rd · hyp3rd · commit 229f5fc8c5d6 · 2026-05-05T15:50:36.000+02:00
Replace the custom `.gitleaksconfig.toml` (which extended the default
gitleaks config and defined path-based allowlists) with a `.gitleaksignore`
file that allowlists specific fingerprints for known curl auth header
occurrences in docker-compose and test scripts.

Remove the `GITLEAKS_CONFIG` env var from the GitHub Actions workflow,
allowing gitleaks to use its built-in defaults and pick up the new
`.gitleaksignore` automatically.
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -21,4 +21,3 @@ jobs:
             - uses: gitleaks/gitleaks-action@v2
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-                  GITLEAKS_CONFIG: .gitleaksconfig.toml
diff --git a/.gitleaksconfig.toml b/.gitleaksconfig.toml
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -0,0 +1,9 @@
+docker-compose.cluster.yml:curl-auth-header:14
+docker-compose.cluster.yml:curl-auth-header:16
+docker-compose.cluster.yml:curl-auth-header:17
+scripts/tests/10-test-cluster-api.sh:curl-auth-header:6
+scripts/tests/10-test-cluster-api.sh:curl-auth-header:13
+scripts/tests/10-test-cluster-api.sh:curl-auth-header:19
+scripts/tests/10-test-cluster-api.sh:curl-auth-header:26
+scripts/tests/10-test-cluster-api.sh:curl-auth-header:32
+scripts/tests/10-test-cluster-api.sh:curl-auth-header:36
