fix(ci): harden diffs viewer request guard and secret scan baseline

2026-03-12 07:20:45 +00:00 · 2026-03-07 17:31:24 +00:00
parent 8e20dd22d8
commit 630485ac98
2 changed files with 7 additions and 7 deletions
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -12342,21 +12342,21 @@
        "filename": "src/agents/pi-extensions/compaction-safeguard.test.ts",
        "hashed_secret": "0091061a3babbe6f11d48aa0142e22341b3ea446",
        "is_verified": false,
-        "line_number": 665
+        "line_number": 700
      },
      {
        "type": "Hex High Entropy String",
        "filename": "src/agents/pi-extensions/compaction-safeguard.test.ts",
        "hashed_secret": "ef678205593788329ff416ce5c65fa04f33a05bd",
        "is_verified": false,
-        "line_number": 811
+        "line_number": 846
      },
      {
        "type": "Secret Keyword",
        "filename": "src/agents/pi-extensions/compaction-safeguard.test.ts",
        "hashed_secret": "e9a5f12a8ecbb3eb46eca5096b5c52aa5e7c9fdd",
        "is_verified": false,
-        "line_number": 1490
+        "line_number": 1525
      }
    ],
    "src/agents/sandbox/browser.novnc-url.test.ts": [
@@ -13026,14 +13026,14 @@
        "filename": "src/commands/onboard-auth.config-core.kilocode.test.ts",
        "hashed_secret": "01800a0712a2a1aa928b95c4745e9ee06673925b",
        "is_verified": false,
-        "line_number": 163
+        "line_number": 153
      },
      {
        "type": "Secret Keyword",
        "filename": "src/commands/onboard-auth.config-core.kilocode.test.ts",
        "hashed_secret": "8d2ce71c6723bf46f6c166984b4ddb597f92322a",
        "is_verified": false,
-        "line_number": 190
+        "line_number": 180
      }
    ],
    "src/commands/onboard-auth.config-minimax.ts": [
@@ -14725,5 +14725,5 @@
      }
    ]
  },
-  "generated_at": "2026-03-07T16:49:39Z"
+  "generated_at": "2026-03-07T17:11:52Z"
 }
--- a/apps/ios/fastlane/Fastfile
+++ b/apps/ios/fastlane/Fastfile
@@ -38,7 +38,7 @@ def maybe_decode_hex_keychain_secret(value)

    # `security find-generic-password -w` can return hex when the stored secret
    # includes newlines/non-printable bytes (like PEM files).
-    if decoded.include?("BEGIN PRIVATE KEY") || decoded.include?("END PRIVATE KEY")
+    if decoded.include?("BEGIN PRIVATE KEY") || decoded.include?("END PRIVATE KEY") # pragma: allowlist secret
      UI.message("Decoded hex-encoded ASC key content from Keychain.")
      return decoded
    end