publish-gate: exclude package-lock + beads tracker from email heuristic; beadboard image base -> ghcr
infra#17: the gate flagged npm deprecation boilerplate (package-lock.json escapes the *.lock filter) and the upstream fork author's email in tracked .beads data — both already-public upstream content, ruled false positives. Lock files excluded properly; .beads moved to the eyeball inventory. beads-server stack: beadboard image base repointed (deployment image is KEEL-ignored; no CronJobs use it). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
57ffd0ed8d
commit
72b5843e4b
2 changed files with 16 additions and 16 deletions
|
|
@ -45,7 +45,7 @@ fi
|
||||||
# --- 3. PII heuristics on tracked files ---
|
# --- 3. PII heuristics on tracked files ---
|
||||||
say ""; say "-- PII heuristics (tracked files) --"
|
say ""; say "-- PII heuristics (tracked files) --"
|
||||||
cd "$CLONE"
|
cd "$CLONE"
|
||||||
EMAILS=$(git grep -hoiE '[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,}' -- ':!*.lock' 2>/dev/null \
|
EMAILS=$(git grep -hoiE '[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,}' -- ':!*.lock' ':!package-lock.json' ':!pnpm-lock.yaml' ':!.beads' 2>/dev/null \
|
||||||
| grep -viE '@(viktorbarzin\.me|example\.(com|org|test)|test\.(com|local)|localhost|users\.noreply\.github\.com|googlegroups\.com)' \
|
| grep -viE '@(viktorbarzin\.me|example\.(com|org|test)|test\.(com|local)|localhost|users\.noreply\.github\.com|googlegroups\.com)' \
|
||||||
| grep -viE '^(noreply|no-reply|ci|admin|info|support|hello|user|foo|bar|test.*)@' \
|
| grep -viE '^(noreply|no-reply|ci|admin|info|support|hello|user|foo|bar|test.*)@' \
|
||||||
| sort -u | head -20)
|
| sort -u | head -20)
|
||||||
|
|
@ -54,7 +54,7 @@ KEYS=$(git grep -l 'BEGIN.*PRIVATE KEY' 2>/dev/null | head -5)
|
||||||
[ -n "$KEYS" ] && { say "PRIVATE KEY blocks in: $KEYS"; DIRTY=1; } || say "private keys: none"
|
[ -n "$KEYS" ] && { say "PRIVATE KEY blocks in: $KEYS"; DIRTY=1; } || say "private keys: none"
|
||||||
ENVF=$(git ls-files | grep -E '(^|/)\.env($|\.)' | head -5)
|
ENVF=$(git ls-files | grep -E '(^|/)\.env($|\.)' | head -5)
|
||||||
[ -n "$ENVF" ] && { say "committed .env files: $ENVF (review)"; DIRTY=1; } || say ".env files: none"
|
[ -n "$ENVF" ] && { say "committed .env files: $ENVF (review)"; DIRTY=1; } || say ".env files: none"
|
||||||
FIXTURES=$(git ls-files | grep -iE '(fixtures?|testdata|tests?/data)/' | head -10)
|
FIXTURES=$(git ls-files | grep -iE '(fixtures?|testdata|tests?/data|^\.beads)/' | head -10)
|
||||||
if [ -n "$FIXTURES" ]; then say "fixture files present (eyeball for PII):"; say "$FIXTURES"; else say "fixtures: none"; fi
|
if [ -n "$FIXTURES" ]; then say "fixture files present (eyeball for PII):"; say "$FIXTURES"; else say "fixtures: none"; fi
|
||||||
|
|
||||||
say ""
|
say ""
|
||||||
|
|
|
||||||
|
|
@ -29,7 +29,7 @@ resource "kubernetes_namespace" "beads" {
|
||||||
metadata {
|
metadata {
|
||||||
name = "beads-server"
|
name = "beads-server"
|
||||||
labels = {
|
labels = {
|
||||||
tier = local.tiers.aux
|
tier = local.tiers.aux
|
||||||
"keel.sh/enrolled" = "true"
|
"keel.sh/enrolled" = "true"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -72,7 +72,7 @@ resource "kubernetes_config_map" "dolt_init" {
|
||||||
namespace = kubernetes_namespace.beads.metadata[0].name
|
namespace = kubernetes_namespace.beads.metadata[0].name
|
||||||
}
|
}
|
||||||
data = {
|
data = {
|
||||||
"01-create-beads-user.sql" = <<-EOT
|
"01-create-beads-user.sql" = <<-EOT
|
||||||
CREATE USER IF NOT EXISTS 'beads'@'%' IDENTIFIED BY '';
|
CREATE USER IF NOT EXISTS 'beads'@'%' IDENTIFIED BY '';
|
||||||
GRANT ALL PRIVILEGES ON *.* TO 'beads'@'%' WITH GRANT OPTION;
|
GRANT ALL PRIVILEGES ON *.* TO 'beads'@'%' WITH GRANT OPTION;
|
||||||
EOT
|
EOT
|
||||||
|
|
@ -133,7 +133,7 @@ resource "kubernetes_deployment" "dolt" {
|
||||||
}
|
}
|
||||||
spec {
|
spec {
|
||||||
container {
|
container {
|
||||||
name = "dolt"
|
name = "dolt"
|
||||||
# Pinned to 2.0.3 — :latest currently resolves to 0.50.10 on dolthub
|
# Pinned to 2.0.3 — :latest currently resolves to 0.50.10 on dolthub
|
||||||
# (different versioning stream) whose docker-entrypoint.sh references
|
# (different versioning stream) whose docker-entrypoint.sh references
|
||||||
# an undefined docker_process_sql function and crash-loops on every
|
# an undefined docker_process_sql function and crash-loops on every
|
||||||
|
|
@ -211,7 +211,7 @@ resource "kubernetes_deployment" "dolt" {
|
||||||
}
|
}
|
||||||
lifecycle {
|
lifecycle {
|
||||||
ignore_changes = [
|
ignore_changes = [
|
||||||
spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
|
spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
|
||||||
spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
|
spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
|
||||||
# Keel annotations are codified in metadata.annotations above (policy=never
|
# Keel annotations are codified in metadata.annotations above (policy=never
|
||||||
# opts this deployment out of auto-updates — see the comment there).
|
# opts this deployment out of auto-updates — see the comment there).
|
||||||
|
|
@ -336,7 +336,7 @@ resource "kubernetes_deployment" "workbench" {
|
||||||
}
|
}
|
||||||
spec {
|
spec {
|
||||||
init_container {
|
init_container {
|
||||||
name = "seed-config"
|
name = "seed-config"
|
||||||
# Pinned 2026-05-26: Keel rolled :latest → :0.1.0 on 2026-05-17,
|
# Pinned 2026-05-26: Keel rolled :latest → :0.1.0 on 2026-05-17,
|
||||||
# which speaks an old GraphQL schema (missing `type` arg on
|
# which speaks an old GraphQL schema (missing `type` arg on
|
||||||
# addDatabaseConnection) → seed-config fails, UI can't add the
|
# addDatabaseConnection) → seed-config fails, UI can't add the
|
||||||
|
|
@ -369,7 +369,7 @@ resource "kubernetes_deployment" "workbench" {
|
||||||
}
|
}
|
||||||
|
|
||||||
container {
|
container {
|
||||||
name = "workbench"
|
name = "workbench"
|
||||||
# Pinned 2026-05-26: Keel rolled :latest → :0.1.0 on 2026-05-17,
|
# Pinned 2026-05-26: Keel rolled :latest → :0.1.0 on 2026-05-17,
|
||||||
# which speaks an old GraphQL schema (missing `type` arg on
|
# which speaks an old GraphQL schema (missing `type` arg on
|
||||||
# addDatabaseConnection) → seed-config fails, UI can't add the
|
# addDatabaseConnection) → seed-config fails, UI can't add the
|
||||||
|
|
@ -484,7 +484,7 @@ resource "kubernetes_deployment" "workbench" {
|
||||||
metadata[0].annotations["kubernetes.io/change-cause"],
|
metadata[0].annotations["kubernetes.io/change-cause"],
|
||||||
metadata[0].annotations["deployment.kubernetes.io/revision"],
|
metadata[0].annotations["deployment.kubernetes.io/revision"],
|
||||||
spec[0].template[0].metadata[0].annotations["keel.sh/update-time"], # KEEL_LIFECYCLE_V1
|
spec[0].template[0].metadata[0].annotations["keel.sh/update-time"], # KEEL_LIFECYCLE_V1
|
||||||
spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
|
spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -521,11 +521,11 @@ module "tls_secret" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "ingress" {
|
module "ingress" {
|
||||||
source = "../../modules/kubernetes/ingress_factory"
|
source = "../../modules/kubernetes/ingress_factory"
|
||||||
dns_type = "proxied"
|
dns_type = "proxied"
|
||||||
namespace = kubernetes_namespace.beads.metadata[0].name
|
namespace = kubernetes_namespace.beads.metadata[0].name
|
||||||
name = "dolt-workbench"
|
name = "dolt-workbench"
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
# auth = "none": Dolt Workbench is client-side encrypted task database; no backend user auth required; Anubis PoW fronts ingress.
|
# auth = "none": Dolt Workbench is client-side encrypted task database; no backend user auth required; Anubis PoW fronts ingress.
|
||||||
auth = "none"
|
auth = "none"
|
||||||
exclude_crowdsec = true
|
exclude_crowdsec = true
|
||||||
|
|
@ -679,7 +679,7 @@ resource "kubernetes_deployment" "beadboard" {
|
||||||
container {
|
container {
|
||||||
name = "beadboard"
|
name = "beadboard"
|
||||||
# Phase 3 cutover 2026-05-07 — Forgejo registry consolidation.
|
# Phase 3 cutover 2026-05-07 — Forgejo registry consolidation.
|
||||||
image = "forgejo.viktorbarzin.me/viktor/beadboard:${var.beadboard_image_tag}"
|
image = "ghcr.io/viktorbarzin/beadboard:${var.beadboard_image_tag}"
|
||||||
|
|
||||||
port {
|
port {
|
||||||
name = "http"
|
name = "http"
|
||||||
|
|
@ -766,7 +766,7 @@ resource "kubernetes_deployment" "beadboard" {
|
||||||
metadata[0].annotations["kubernetes.io/change-cause"],
|
metadata[0].annotations["kubernetes.io/change-cause"],
|
||||||
metadata[0].annotations["deployment.kubernetes.io/revision"],
|
metadata[0].annotations["deployment.kubernetes.io/revision"],
|
||||||
spec[0].template[0].metadata[0].annotations["keel.sh/update-time"], # KEEL_LIFECYCLE_V1
|
spec[0].template[0].metadata[0].annotations["keel.sh/update-time"], # KEEL_LIFECYCLE_V1
|
||||||
spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
|
spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue