CI: restore main detect-secrets scan (#38438)

* Tests: stabilize detect-secrets fixtures * Tests: fix rebased detect-secrets false positives * Docs: keep snippets valid under detect-secrets * Tests: finalize detect-secrets false-positive fixes * Tests: reduce detect-secrets false positives * Tests: keep detect-secrets pragmas inline * Tests: remediate next detect-secrets batch * Tests: tighten detect-secrets allowlists * Tests: stabilize detect-secrets formatter drift
2026-03-12 07:20:45 +00:00 · 2026-03-07 13:06:35 -05:00
parent 46e324e269
commit e4d80ed556
137 changed files with 1231 additions and 2700 deletions
--- a/apps/android/app/src/test/java/ai/openclaw/app/node/AppUpdateHandlerTest.kt
+++ b/apps/android/app/src/test/java/ai/openclaw/app/node/AppUpdateHandlerTest.kt
@@ -55,7 +55,7 @@ class AppUpdateHandlerTest {
    try {
      tmp.writeText("hello", Charsets.UTF_8)
      assertEquals(
-        "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824",
+        "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", // pragma: allowlist secret
        sha256Hex(tmp),
      )
    } finally {
--- a/apps/ios/fastlane/Fastfile
+++ b/apps/ios/fastlane/Fastfile
@@ -38,7 +38,9 @@ def maybe_decode_hex_keychain_secret(value)

    # `security find-generic-password -w` can return hex when the stored secret
    # includes newlines/non-printable bytes (like PEM files).
-    if decoded.include?("BEGIN PRIVATE KEY") || decoded.include?("END PRIVATE KEY") # pragma: allowlist secret
+    beginPemMarker = %w[BEGIN PRIVATE KEY].join(" ") # pragma: allowlist secret
+    endPemMarker = %w[END PRIVATE KEY].join(" ")
+    if decoded.include?(beginPemMarker) || decoded.include?(endPemMarker)
      UI.message("Decoded hex-encoded ASC key content from Keychain.")
      return decoded
    end