feat(security)!: replace synced gitleaks.yml with native MokoGit secret scanning [BREAKING] #357

Open
opened 2026-07-16 22:33:00 +00:00 by jmiller · 1 comment
Owner

Summary

Retire the gitleaks.yml MokoGit Actions workflow — currently synced to every governed repo at .mokogit/workflows/gitleaks.yml — in favor of MokoGit's native, server-side secret scanning.

Motivation

  • gitleaks.yml runs per-repo on Actions runners (compute + maintenance surface) and is duplicated across all templates and repos via workflow-sync.
  • Native MokoGit secret scanning runs server-side on push, is centrally configured, needs no synced workflow, and can gate pushes directly (push protection).

Why this is breaking

  • Removes gitleaks.yml from all templates (Generic / Go / Joomla / NPM / Dot).
  • The sync's orphan-cleanup then deletes gitleaks.yml from every governed repo on the next --phase repos run.
  • Repos relying on the gitleaks Actions run for PR gating must switch to the native feature's push protection.
  • The ntfy alerting wired into gitleaks.yml (NTFY_URL / NTFY_TOPIC, topic mokogit-security) must be re-pointed at the native feature's alerting.

Migration plan

  1. Enable MokoGit native secret scanning org-wide (patterns, allowlist, push protection).
  2. Remove gitleaks.yml from the templates (source of truth).
  3. Run moko workflow:sync --phase templates then --phase repos so orphan-cleanup strips gitleaks.yml everywhere.
  4. Verify push protection is active per repo; decommission the ntfy wiring.

Related

  • Workflow-sync tooling: cli/workflow_sync.php (this repo).
  • Follows the .mokogitea.mokogit rebrand (PR #356), template-map fix, and Template-Dot curation.

Suggested labels: breaking, security, enhancement

https://claude.ai/code/session_014Fjb4NvgviMoNU6NrGa4VE

## Summary Retire the `gitleaks.yml` MokoGit Actions workflow — currently synced to every governed repo at `.mokogit/workflows/gitleaks.yml` — in favor of MokoGit's native, server-side secret scanning. ## Motivation - `gitleaks.yml` runs per-repo on Actions runners (compute + maintenance surface) and is duplicated across all templates and repos via workflow-sync. - Native MokoGit secret scanning runs server-side on push, is centrally configured, needs no synced workflow, and can gate pushes directly (push protection). ## Why this is breaking - Removes `gitleaks.yml` from all templates (Generic / Go / Joomla / NPM / Dot). - The sync's orphan-cleanup then deletes `gitleaks.yml` from **every** governed repo on the next `--phase repos` run. - Repos relying on the gitleaks Actions run for PR gating must switch to the native feature's push protection. - The `ntfy` alerting wired into `gitleaks.yml` (`NTFY_URL` / `NTFY_TOPIC`, topic `mokogit-security`) must be re-pointed at the native feature's alerting. ## Migration plan 1. Enable MokoGit native secret scanning org-wide (patterns, allowlist, push protection). 2. Remove `gitleaks.yml` from the templates (source of truth). 3. Run `moko workflow:sync --phase templates` then `--phase repos` so orphan-cleanup strips `gitleaks.yml` everywhere. 4. Verify push protection is active per repo; decommission the ntfy wiring. ## Related - Workflow-sync tooling: `cli/workflow_sync.php` (this repo). - Follows the `.mokogitea` → `.mokogit` rebrand (PR #356), template-map fix, and Template-Dot curation. Suggested labels: breaking, security, enhancement https://claude.ai/code/session_014Fjb4NvgviMoNU6NrGa4VE
Author
Owner

Branch created: feature/357-feat-security-replace-synced-gitleaks-ym

git fetch origin
git checkout feature/357-feat-security-replace-synced-gitleaks-ym
Branch created: [`feature/357-feat-security-replace-synced-gitleaks-ym`](https://git.mokoconsulting.tech/MokoConsulting/MokoCLI/src/branch/feature/357-feat-security-replace-synced-gitleaks-ym) ```bash git fetch origin git checkout feature/357-feat-security-replace-synced-gitleaks-ym ```
Sign in to join this conversation.
No labels
Priority Medium
Type Feature
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoCLI#357