Skip to content

Bump gitleaks/gitleaks-action from 2 to 3#8

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/gitleaks/gitleaks-action-3
Closed

Bump gitleaks/gitleaks-action from 2 to 3#8
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/gitleaks/gitleaks-action-3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 1, 2026

Copy link
Copy Markdown
Contributor

Bumps gitleaks/gitleaks-action from 2 to 3.

Release notes

Sourced from gitleaks/gitleaks-action's releases.

v3.0.0

What's changed

gitleaks-action v3 migrates the runtime from Node 20 to Node 24. No changes to inputs, outputs, or behavior. Update your workflow from gitleaks/gitleaks-action@v2 to gitleaks/gitleaks-action@v3.

Migration

# Before
- uses: gitleaks/gitleaks-action@v2
After

uses: gitleaks/gitleaks-action@v3

Why

GitHub is deprecating the Node 20 runtime for Actions:

  • June 2, 2026: GitHub flips the runner default to Node 24. Workflows using gitleaks-action@v2 (Node 20) will still run, but only if ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true is set as an environment variable.
  • September 16, 2026: Node 20 is removed from GitHub-hosted runners entirely. gitleaks-action@v2 stops working regardless of any opt-out flag.

Changes

  • action.yml: runtime node20node24
  • @actions/core: 1.10.0 → 1.11.1
  • dist/ rebuilt
  • Example workflows updated to actions/checkout@v6 and gitleaks-action@v3
  • README updated with v3 migration guide

Self-hosted runners

If you use self-hosted runners, ensure your runner version is >= v2.327.1 (required for Node 24 support).

v2.3.9

What's Changed

Full Changelog: gitleaks/gitleaks-action@v2.3.8...v2.3.9

v2.3.8

What's Changed

New Contributors

Full Changelog: gitleaks/gitleaks-action@v2.3.7...v2.3.8

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [gitleaks/gitleaks-action](https://github.com/gitleaks/gitleaks-action) from 2 to 3.
- [Release notes](https://github.com/gitleaks/gitleaks-action/releases)
- [Commits](gitleaks/gitleaks-action@v2...v3)

---
updated-dependencies:
- dependency-name: gitleaks/gitleaks-action
  dependency-version: '3'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 1, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 3, 2026

Copy link
Copy Markdown
Contributor Author

Looks like gitleaks/gitleaks-action is up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 3, 2026
@dependabot
dependabot Bot deleted the dependabot/github_actions/gitleaks/gitleaks-action-3 branch June 3, 2026 07:39
BigSimmo added a commit that referenced this pull request Jul 8, 2026
Committed migration 20260708120000 (NOT applied to live — operator apply per
docs/supabase-migration-reconciliation.md), schema.sql reconciled, drift manifest
regenerated (13s scratch replay, clean).

- R1/R2: complete_ingestion_job + fail_or_retry_ingestion_job take an optional
  p_worker_id lease fence. A worker reclaimed by a stale takeover now matches 0
  rows and returns ok:false lease_lost instead of clobbering the reclaimer's
  newer state (indexed->failed, completed->pending). Backward compatible
  (p_worker_id defaults null); the worker passes workerId and treats lease_lost
  as a stop, keeping the isMissingSchemaError fallback for pre-apply. This is the
  defense-in-depth complement to the lease heartbeat already in this PR.
- R7: fail_or_retry downgrades an attempt-exhausted retry to terminal 'failed'
  instead of a permanently-unclaimable 'pending' that pins its batch forever.
- R9: refresh_import_batch_status locks the import_batches row before counting,
  serializing concurrent last-job refreshes (lost-update that stuck batches as
  'processing').
- R23: cleanup_abandoned re-asserts the open-job guard immediately before the
  destructive deletes (it previously lived only in the candidate CTE, before the
  seven count statements).

HELD (evidence in PR): R17 open-jobs unique index (collides with drift backlog
#7, ingestion_jobs index reshape); R24e stage-FK removal (collides with drift
backlog #8, which plans the opposite — live has 253 orphan rows that would fail
VALIDATE); deep-memory delete-scoping (would crash — document_sections
unique(document_id,section_index)).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
BigSimmo added a commit that referenced this pull request Jul 8, 2026
…on) (#380)

* fix(ingestion): R1/R2 lease fences + R7/R9/R23 RPC hardening (migration)

Committed migration 20260708120000 (NOT applied to live — operator apply per
docs/supabase-migration-reconciliation.md), schema.sql reconciled, drift manifest
regenerated (13s scratch replay, clean).

- R1/R2: complete_ingestion_job + fail_or_retry_ingestion_job take an optional
  p_worker_id lease fence. A worker reclaimed by a stale takeover now matches 0
  rows and returns ok:false lease_lost instead of clobbering the reclaimer's
  newer state (indexed->failed, completed->pending). Backward compatible
  (p_worker_id defaults null); the worker passes workerId and treats lease_lost
  as a stop, keeping the isMissingSchemaError fallback for pre-apply. This is the
  defense-in-depth complement to the lease heartbeat already in this PR.
- R7: fail_or_retry downgrades an attempt-exhausted retry to terminal 'failed'
  instead of a permanently-unclaimable 'pending' that pins its batch forever.
- R9: refresh_import_batch_status locks the import_batches row before counting,
  serializing concurrent last-job refreshes (lost-update that stuck batches as
  'processing').
- R23: cleanup_abandoned re-asserts the open-job guard immediately before the
  destructive deletes (it previously lived only in the candidate CTE, before the
  seven count statements).

HELD (evidence in PR): R17 open-jobs unique index (collides with drift backlog
#7, ingestion_jobs index reshape); R24e stage-FK removal (collides with drift
backlog #8, which plans the opposite — live has 253 orphan rows that would fail
VALIDATE); deep-memory delete-scoping (would crash — document_sections
unique(document_id,section_index)).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix(ingestion): rename hardening migration to 20260708130000 (version collision)

20260708120000 was already taken by 20260708120000_rag_query_misses_retention.sql
on main; two migrations sharing a version fail the schema_migrations pkey on
replay/apply. Content unchanged; schema.sql + drift manifest unaffected (manifest
keys on schema.sql sha, not migration versions).

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
BigSimmo added a commit that referenced this pull request Jul 8, 2026
…rift #8)

Live evidence, not the backlog's add-the-FK plan: live never had this FK, the
edge agent writes an indexing_v3_agent_jobs id into job_id (never satisfies a FK
to ingestion_jobs), and live carries 253 orphan stage rows that would fail
VALIDATE. Removing the FK makes fresh/preview databases match live and unbreaks
the agent's artifact-repair path there.

- schema.sql: ingestion_job_stages.job_id is a plain not-null column (documented)
- migration 20260708140000: drop constraint if exists (no-op on live; removes it
  on the branch/preview migration chain)
- drift-allowlist: remove the now-obsolete FK entry (schema.sql matches live)
- database-drift-detection.md: mark backlog item #8 resolved with rationale
- supabase-schema.test: assert the FK is absent from schema.sql
- drift manifest regenerated (clean scratch replay)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
BigSimmo added a commit that referenced this pull request Jul 9, 2026
* fix(ui): center mobile hero search and harden composer portal

- Hide footer Evidence/Sources chips on phone hero composers; scope stays in + menu
- Suppress bottom-dock composer flash until hero portal slot is ready
- Increase composer action/send touch targets to 44px on phones
- Update Playwright tests for scope menu, Answer home geometry, and stress fallback

* chore: ignore medications snapshot gitleaks false positives for deploy

* fix(access): resolve outstanding P0/P1 security and UX gaps

* fix(rag): scope anonymous retrieval to public documents via owner sentinel

* fix(access): complete forms fallback, signed-url hardening, upload guard

* feat(db): promote locally reviewed documents to public corpus for anonymous RAG

* fix(access): complete forms fallback, signed-url hardening, upload guard

* test: stabilize scope-sources stress flow via answer options menu

* chore: ignore medications snapshot gitleaks false positives for main deploy

* chore: ignore medications snapshot gitleaks false positives for main deploy

* chore: format access rollout files and add batched public document promotion script

* fix: audit P0 RAG cache, synopsis parity, and safety hardening

* fix(access): repair image signed-url route and align access route tests

* Compact answer recommended questions into shared suggestion chips

Replace the answer-mode composer banner and post-answer card with a shared
compact chip row that matches the footer search setup styling.

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* fix(access): add document_upload rate limit bucket and update retrieval scope tests

* Auto-hide answer support chips when content sits below on mobile

* fix: clear merge markers and align tests with local upload guard

* fix(db): repair dollar-quote delimiters in retrieval owner sentinel migration

* fix(db): align schema.sql retrieval_owner_matches dollar quotes

* docs(governance): record public and anonymous API access verification

* fix: unblock production anonymous search and setup-status project warning

* style: format access rollout files for CI

* Polish answer suggestion chips across empty home, mobile composer, and modes

Unify empty-state quick actions with compact chips, move mobile follow-ups
into the footer composer, apply example chips to all search modes, add chip
truncation, update mockups/tests, and trim unused ClinicalDashboard imports.

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* checkpoint before checking out cursor/add-supabase-plugin-6f14

* fix: drop accidental worktree gitlinks blocking CI

Remove nested worktree references from the plugin branch and ignore
.worktrees/ so checkout and required status checks can pass.

Co-authored-by: Cursor <cursoragent@cursor.com>

* style: format CI-flagged sources after main sync

* Fix CI failures from compact suggestion chips rollout

- Run Prettier on new/changed dashboard components
- Update ui-tools tests for Examples chips instead of Searching banner
- Scroll mobile table expand clear of taller footer composer stack
- Increase main bottom margin when composer follow-ups are visible
- Relax touch-target measurement tolerance for subpixel CI variance

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* feat: add public corpus promotion and retrieval-owner verification scripts

Add check:retrieval-owner to validate the live sentinel migration and promote:public-documents with dry-run/--apply for locally reviewed docs.

* Relax touch-target tolerance for full-suite subpixel variance

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* fix(mobile): prevent integrated action menu clipping on mode homes

* Hide cross-mode chip prefix when query is empty

The Examples dropdown section uses chips layout without a query, so
rendering 'Search "" in' was misleading. Only show the prefix when
there is an active query (cross-mode search).

* fix(ui): center mobile hero search and harden composer portal

- Hide footer Evidence/Sources chips on phone hero composers; scope stays in + menu
- Suppress bottom-dock composer flash until hero portal slot is ready
- Increase composer action/send touch targets to 44px on phones
- Update Playwright tests for scope menu, Answer home geometry, and stress fallback

* fix(ui): resolve merge conflicts and restore /applications route

- Remove stray merge conflict markers from master-search-header, ui-stress, globals.css
- Restore standalone /applications page and remove redirect to /?mode=tools
- Re-export ApplicationsLauncherPage for the restored route
- Regenerate docs/site-map.md

* fix(ci): format sources and stabilize scope-menu Playwright helpers

* style: format ui-stress spec for prettier check

* fix(mobile): restore favourites composer slot and stabilize scope smoke tests

* test(ui): fallback to answer options menu for desktop scope stress

* test(ui): open scope via answer options in desktop stress path

* test(ui): relax scope summary copy matcher for stress desktop path

* style: format mode-action-popup for prettier check

* Fix: close evidence sheet on follow-up quote to unblock focus trap

* test(ui): use openDailyActions for mobile stress scope path

* test(ui): force-click scope menuitem in mobile stress path

* fix(ui): clear integrated menu layout on close without effect setState

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(rag): deploy app-layer public owner sentinel for anonymous search (#291)

* fix(rag): scope anonymous retrieval to public documents via owner sentinel

Wire retrievalOwnerFilter through RAG, deep-memory, and document-enrichment so production anonymous search sends the public owner sentinel. Adds live migration check script and updated access tests.

* fix(ci): prettier migration check script and promote migration updated_at

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* fix: unblock PR CI — migration column guard and schema test sentinel

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* style: format supabase-schema sentinel assertions for prettier

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* Compact answer recommended questions into shared suggestion chips (#283)

* fix: resolve stale merge conflict markers from fix-all-db-issues integration

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* fix: run prettier on 6 files failing format check

* test(ui): relax mode-dependent selectors in smoke test

* Fix Prettier formatting violations

* test(ui): make mode-options smoke assertion mode-agnostic

* fix(ingestion): R24e — drop ingestion_job_stages.job_id FK (resolve drift #8)

Live evidence, not the backlog's add-the-FK plan: live never had this FK, the
edge agent writes an indexing_v3_agent_jobs id into job_id (never satisfies a FK
to ingestion_jobs), and live carries 253 orphan stage rows that would fail
VALIDATE. Removing the FK makes fresh/preview databases match live and unbreaks
the agent's artifact-repair path there.

- schema.sql: ingestion_job_stages.job_id is a plain not-null column (documented)
- migration 20260708140000: drop constraint if exists (no-op on live; removes it
  on the branch/preview migration chain)
- drift-allowlist: remove the now-obsolete FK entry (schema.sql matches live)
- database-drift-detection.md: mark backlog item #8 resolved with rationale
- supabase-schema.test: assert the FK is absent from schema.sql
- drift manifest regenerated (clean scratch replay)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix(ingestion): suppress agent stage ids from OCR retry targets

Only expose failed_ocr jobId values that resolve to a document ingestion_jobs row so the quality review Retry action does not 404 after dropping the ingestion_job_stages.job_id FK.

* fix: stale search-effect closure, missing effect dep, dead code cleanup

- ClinicalDashboard.tsx: route the URL-bootstrap search effect through refs
  for executeSearch/scopeFilters so it always calls the latest versions
  instead of the ones captured when the narrowly-scoped effect first ran
- DocumentViewer.tsx: add missing canUsePrivateApis effect dependency
- playwright-base-url.ts: accept 127.0.0.1 alongside localhost when
  verifying an existing local server
- Remove the already-unused onPickSample prop from AnswerEmptyState, and
  two now-unused type-only imports (MedicationRecordRow, RegistryRecordRow)

Verified: typecheck clean, lint clean, prettier clean, medications-route
and registry-records-route tests passing (17/17).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>

* style: format ingestion quality route for CI prettier gate

* chore: trigger CI after prettier fix

* chore: organize pending local changes

* ci: add image-generation remediation workflow

* feat: add image generation metadata re-stamp script

* fix(ci): stub RAG_QUERY_HASH_SECRET in deployment boot smoke

Production instrumentation requires RAG_QUERY_HASH_SECRET (PIA-2) when
next start boots in NODE_ENV=production. The boot smoke already stubs
Supabase and OpenAI keys for the child process; add the same pattern for
the query-hash secret so main CI deployment readiness passes.

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* style: format deployment-boot-smoke for Prettier

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* fix(ci): require RAG_QUERY_HASH_SECRET in deployment boot smoke

Address Codex review: do not stub the query-hash secret with a known
placeholder. Add it to requiredProductionEnv and pass it from the CI
workflow secrets so main/release smoke fails closed when the secret is
absent, matching the Supabase/OpenAI gate pattern.

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* fix(ci): supply RAG_QUERY_HASH_SECRET placeholder for deployment boot smoke

The production instrumentation hook requires a keyed query-hash secret so
logged clinical queries are not reversible. CI boot smoke only checks that
the server starts and reports the correct local project identity, so a
non-production placeholder is sufficient (same pattern as service-role and
OpenAI placeholders).

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* style: run Prettier on deployment-boot-smoke.mjs

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* ci: retrigger checks after Codex feedback fix

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* chore: reconcile ingestion RPC execute privileges, schema.sql and drift manifest

* ci: add db-reset-verify and dependency-review workflows

* ci: remove dependency-review workflow because repository is private without GHAS

* 📝 CodeRabbit Chat: Simplify code implementation (#434)

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* fix(db): rename duplicate migration version 20260708160000 to unique 20260708160001

* fix: run prettier on 19 files to fix CI format:check failure (#436)

* fix: address PR 433 review comments

- Defer embedding until after text/document fast paths and coverage gate
- Rehydrate cached document metadata in attachDocumentRankingMetadata
- Load env-dependent script imports after loadEnvConfig in seed/reindex scripts
- Harden registry corpus: shared identity, medication tags, rollback, detail hrefs
- Route registry citations to detail pages; handle registry rows in signed-url API
- Prioritize safety warnings over registry info; preserve stale registry labels
- Guard OCR repair against dropping isolated single-letter clinical tokens
- Update skill docs, changelog dedup, CI Supabase setup-cli@v3

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* fix: address follow-up PR 433 review comments

- Backfill NULL document_images.index_generation_id during re-stamp
- Count globally forced embedding eval cases in retrieval summaries

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>

* docs: add Codex review throttling protocol

* fix: format docs/branch-review-ledger.md to pass Prettier check

* fix(docs): tighten ledger skip checks and pure-review exception

Require branch, HEAD, and scope to match before skipping cleanup reviews, and allow ledger appends as the sole edit during pure review runs.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix: throttle Codex auto-resolve reviews

* fix: harden Codex review automation

* fix: prevent repeated Codex auto-resolve requests

* fix: keep Codex auto-resolve permission skips green

* fix: harden Codex auto-resolve GitHub API error handling

Wrap issues.listComments and issues.createComment in explicit try/catch paths that log a clear notice and fail the job deterministically on auth, rate-limit, and client API errors while preserving skip cases.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix: harden Codex auto-resolve dedupe and review guards

Use SHA-scoped PR labels and concurrency to prevent duplicate resolve requests, skip non-actionable reviews, document the auto-resolve confirmation exception, and add CI workflow guard checks.

Co-authored-by: Cursor <cursoragent@cursor.com>

* docs: add Codex resolve follow-up guidance and issue_comment trigger

Document manual re-trigger, add resolve completion checklist, cover top-level PR comments in auto-resolve, and link the review protocol from README.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix: format check-codex-autofix-workflow.mjs with Prettier

* fix: harden Codex auto-resolve label and retrigger guards

Queue PR/head workflow runs, create SHA labels before applying them, post the resolve comment before the label lock, and skip resolve completion summaries on issue_comment events.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix: soft-skip Codex auto-resolve on comment read 403

Treat issues.get and listComments permission failures as warnings so the workflow stays green when the token cannot read PR metadata.

Co-authored-by: Cursor <cursoragent@cursor.com>

* archive: document obsolete branch preservation

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants