Add automated secret scanning (make check-secrets, pre-commit hook)
Part of #24 (closed) (#24 (closed)).
Background
The bulk of issue #24 (closed) (redacting GitLab tokens accidentally committed into notes/ chat
exports) was handled directly against main via a full git filter-repo --replace-text history
rewrite - not something that can go through a normal branch/MR, since it rewrites main's own
history. That part is done: every commit SHA changed, all tags were re-pushed pointing at the
rewritten commits, and a follow-up gitleaks sweep of the rewritten history confirms zero
remaining secrets.
This MR is the preventative half of the ticket (expanded per Danny's request beyond the originally-scoped manual redaction script): automated scanning so this can't recur silently.
Changes
make check-secrets: runsgitleaks git --log-opts="--all"(full-history sweep) and is now part ofmake lint, so both local runs and CI's existinglintjob catch a committed secret with no.gitlab-ci.ymlchanges needed.make install-git-hooks: installsscripts/pre-commit(gitleaks protect --staged- a fast, staged-diff-only scan) as an opt-in pre-commit hook, catching a secret before it's ever committed rather than only before it's merged. Not installed automatically, since git doesn't version.git/hooks- this is a one-time manual step per clone.make setupinstallsgitleaksitself if missing, matching the existing pattern forgoreleaser.CLAUDE.mdupdated (Build & dev commands, Design notes, Known issues - including a note about the history rewrite itself, for future readers).
Testing
- Manually verified the hook actually blocks a commit: staged a file containing a fake token
shaped like a real GitLab PAT, confirmed
git commitwas rejected with the expected finding, then removed it. - This very commit went through the installed hook successfully (see the gitleaks output in the commit process).
make lint(now includingcheck-secrets) is clean.