All checks were successful
ci/woodpecker/push/default Pipeline was successful
A GitGuardian audit of the infra repo showed the recent alerts were test fixtures (false positives), but surfaced a real historical leak: a cluster-admin kubeconfig was once committed as stacks/f1-stream/.../.config (now expired, reachable only via a GitHub PR ref). The .gitignore already had a `config` rule for kubeconfigs but missed the dotfile form `.config` — which is exactly how that file slipped onto the public mirror. Close the gap in two layers: - .gitignore: also ignore `.config`, `kubeconfig`, `*.kubeconfig`, `admin.conf`, `.kube/` so they're never staged by accident. - .gitattributes: route `.config`, `kubeconfig`, `*.kubeconfig`, `admin.conf` through git-crypt so a force-add or rename still lands as ciphertext (never plaintext) on the public GitHub mirror. No tracked files match these names today, so there is zero retroactive impact — purely forward-looking prevention. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
15 lines
699 B
Text
15 lines
699 B
Text
.gitattributes !filter !diff
|
|
|
|
*.tfstate filter=git-crypt diff=git-crypt
|
|
*.tfvars filter=git-crypt diff=git-crypt
|
|
secrets/** filter=git-crypt diff=git-crypt
|
|
stacks/**/secrets/** filter=git-crypt diff=git-crypt
|
|
|
|
# Kubeconfigs / cluster credentials — encrypt at rest so a force-added or renamed
|
|
# commit can't push plaintext to the public GitHub mirror. Belt-and-suspenders to
|
|
# the .gitignore rules above; `.config` is explicit because that is exactly the
|
|
# name an admin kubeconfig once leaked under (GitGuardian, 2026-07-02).
|
|
.config filter=git-crypt diff=git-crypt
|
|
kubeconfig filter=git-crypt diff=git-crypt
|
|
*.kubeconfig filter=git-crypt diff=git-crypt
|
|
admin.conf filter=git-crypt diff=git-crypt
|