infra/.gitattributes
Viktor Barzin 5d5d9752cb
All checks were successful
ci/woodpecker/push/default Pipeline was successful
guard: ignore + git-crypt kubeconfig files so they can't leak to the public mirror
A GitGuardian audit of the infra repo showed the recent alerts were test
fixtures (false positives), but surfaced a real historical leak: a
cluster-admin kubeconfig was once committed as stacks/f1-stream/.../.config
(now expired, reachable only via a GitHub PR ref). The .gitignore already had
a `config` rule for kubeconfigs but missed the dotfile form `.config` — which
is exactly how that file slipped onto the public mirror.

Close the gap in two layers:
- .gitignore: also ignore `.config`, `kubeconfig`, `*.kubeconfig`,
  `admin.conf`, `.kube/` so they're never staged by accident.
- .gitattributes: route `.config`, `kubeconfig`, `*.kubeconfig`, `admin.conf`
  through git-crypt so a force-add or rename still lands as ciphertext (never
  plaintext) on the public GitHub mirror.

No tracked files match these names today, so there is zero retroactive impact
— purely forward-looking prevention.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-02 07:14:58 +00:00

15 lines
699 B
Text

.gitattributes !filter !diff
*.tfstate filter=git-crypt diff=git-crypt
*.tfvars filter=git-crypt diff=git-crypt
secrets/** filter=git-crypt diff=git-crypt
stacks/**/secrets/** filter=git-crypt diff=git-crypt
# Kubeconfigs / cluster credentials — encrypt at rest so a force-added or renamed
# commit can't push plaintext to the public GitHub mirror. Belt-and-suspenders to
# the .gitignore rules above; `.config` is explicit because that is exactly the
# name an admin kubeconfig once leaked under (GitGuardian, 2026-07-02).
.config filter=git-crypt diff=git-crypt
kubeconfig filter=git-crypt diff=git-crypt
*.kubeconfig filter=git-crypt diff=git-crypt
admin.conf filter=git-crypt diff=git-crypt