Harden for open-sourcing: config-ize prod defaults + gitleaks secret scanning#1
Merged
Merged
Conversation
The public build hardcoded a personal email (agents-owner fallback) and a
production vault path (/opt/buildwithsumit/vault/auto). Read both from
config instead so a fresh open-source deploy carries no personal or
prod-specific defaults:
- agents owner: AGENTS_OWNER_EMAIL, falling back to GLOBUS_FIRST_MEMBER_EMAIL
(the seed member). If neither is set, owner-only agents stay locked.
- vault auto-build dir: GLOBUS_VAULT_AUTO_DIR, default /opt/globus/vault/auto.
Both knobs documented in config/.env.example.
Guard against a credential ever landing in this public repo.
- .github/workflows/gitleaks.yml: runs the gitleaks CLI via its official
Docker image on every push and PR over full history. Uses the CLI (not
gitleaks-action) because the Action requires a paid license for
org-owned repos; the CLI is free.
- .pre-commit-config.yaml: blocks leaks locally before commit.
- .gitleaks.toml: extends the default ruleset, allowlists the sanitized
example files + public identifiers to avoid false positives.
- CONTRIBUTING.md: documents the never-commit-secrets rule + hook install.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two small hardening changes ahead of wider open-sourcing.
1. Remove hardcoded prod/personal defaults (
configcommit)server/agents_runtime.pyno longer defaults the agents-owner to a personal email — readsAGENTS_OWNER_EMAIL, falling back toGLOBUS_FIRST_MEMBER_EMAIL(the seed member). If neither is set, owner-only agents stay locked (safe default).server/vault_stats.pyno longer pins the vault auto-build dir to/opt/buildwithsumit/vault/auto— readsGLOBUS_VAULT_AUTO_DIR(default/opt/globus/vault/auto).config/.env.example.2. gitleaks secret scanning (
opscommit).github/workflows/gitleaks.yml— runs the gitleaks CLI (official Docker image) on every push + PR over full history. Uses the CLI rather thangitleaks-actionbecause the Action requires a paid license for org-owned repos; the CLI is free..pre-commit-config.yaml— blocks leaks locally before commit..gitleaks.toml— extends the default ruleset; allowlists the sanitized example files + public identifiers.CONTRIBUTING.md— documents the never-commit-secrets rule + hook install.No secrets were found in the repo (tree or history) during the audit that prompted this — this is preventive.