Merge branch 'main' into dependabot/uv/uv-22e9261afe

nikolay-e · web-flow · commit 48c21f868a40 · 2026-06-20T11:28:09.000+02:00
diff --git a/tests/test_default_ignores.py b/tests/test_default_ignores.py
@@ -90,7 +90,7 @@ def test_git_directory_ignored(temp_project, run_mapper):
 def test_default_private_key_ignores(temp_project, run_mapper):
     secrets = ["server.pem", "tls.key", "keystore.p12", "app.pfx", "app.jks", "id_rsa", "id_ed25519"]
     for secret in secrets:
-        (temp_project / secret).write_text("-----BEGIN PRIVATE KEY-----\ndo-not-leak\n", encoding="utf-8")
+        (temp_project / secret).write_text("private-key-material do-not-leak\n", encoding="utf-8")
 
     kept = ["id_rsa.pub", "config.py", ".env"]
     for f in kept:
diff --git a/tests/test_secret_ignores_diff.py b/tests/test_secret_ignores_diff.py
@@ -1,21 +1,20 @@
 from __future__ import annotations
 
 import diffctx
-
 from tests.framework.pygit2_backend import Pygit2Repo
 
 
 def _build_repo_with_changed_private_keys(tmp_path):
     repo = Pygit2Repo(tmp_path / "repo")
     repo.add_file("app.py", "import os\nKEY = os.environ['K']\n")
-    repo.add_file("id_rsa", "-----BEGIN PRIVATE KEY-----\nLEAK_RSA_INITIAL\n")
-    repo.add_file("tls.key", "-----BEGIN PRIVATE KEY-----\nLEAK_KEY_INITIAL\n")
+    repo.add_file("id_rsa", "private-key-material LEAK_RSA_INITIAL\n")  # pragma: allowlist secret
+    repo.add_file("tls.key", "private-key-material LEAK_KEY_INITIAL\n")  # pragma: allowlist secret
     repo.add_file("server.pem", "-----BEGIN CERTIFICATE-----\nLEAK_PEM_INITIAL\n")
     repo.commit("initial")
 
     repo.add_file("app.py", "import os\nKEY = os.environ['K']\nTOKEN = os.environ['T']\n")
-    repo.add_file("id_rsa", "-----BEGIN PRIVATE KEY-----\nLEAK_RSA_CHANGED\n")
-    repo.add_file("tls.key", "-----BEGIN PRIVATE KEY-----\nLEAK_KEY_CHANGED\n")
+    repo.add_file("id_rsa", "private-key-material LEAK_RSA_CHANGED\n")  # pragma: allowlist secret
+    repo.add_file("tls.key", "private-key-material LEAK_KEY_CHANGED\n")  # pragma: allowlist secret
     repo.add_file("server.pem", "-----BEGIN CERTIFICATE-----\nLEAK_PEM_CHANGED\n")
     repo.commit("change app and private keys")
     return repo
@@ -28,9 +27,7 @@ def test_diff_context_excludes_changed_private_keys(tmp_path):
     repo = _build_repo_with_changed_private_keys(tmp_path)
 
     for full in (False, True):
-        rendered = diffctx.to_yaml(
-            diffctx.build_diff_context(root_dir=repo.path, diff_range="HEAD~1", full=full)
-        )
+        rendered = diffctx.to_yaml(diffctx.build_diff_context(root_dir=repo.path, diff_range="HEAD~1", full=full))
         for marker in SECRET_MARKERS:
             assert marker not in rendered, (full, marker)
         assert "id_rsa" not in rendered and "tls.key" not in rendered and "server.pem" not in rendered
