Bump gitleaks/gitleaks-action from 2 to 3#8
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
Bumps [gitleaks/gitleaks-action](https://github.com/gitleaks/gitleaks-action) from 2 to 3. - [Release notes](https://github.com/gitleaks/gitleaks-action/releases) - [Commits](gitleaks/gitleaks-action@v2...v3) --- updated-dependencies: - dependency-name: gitleaks/gitleaks-action dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
|
Looks like gitleaks/gitleaks-action is up-to-date now, so this is no longer needed. |
dependabot
Bot
deleted the
dependabot/github_actions/gitleaks/gitleaks-action-3
branch
June 3, 2026 07:39
13 tasks
This was referenced Jul 8, 2026
BigSimmo
added a commit
that referenced
this pull request
Jul 8, 2026
Committed migration 20260708120000 (NOT applied to live — operator apply per docs/supabase-migration-reconciliation.md), schema.sql reconciled, drift manifest regenerated (13s scratch replay, clean). - R1/R2: complete_ingestion_job + fail_or_retry_ingestion_job take an optional p_worker_id lease fence. A worker reclaimed by a stale takeover now matches 0 rows and returns ok:false lease_lost instead of clobbering the reclaimer's newer state (indexed->failed, completed->pending). Backward compatible (p_worker_id defaults null); the worker passes workerId and treats lease_lost as a stop, keeping the isMissingSchemaError fallback for pre-apply. This is the defense-in-depth complement to the lease heartbeat already in this PR. - R7: fail_or_retry downgrades an attempt-exhausted retry to terminal 'failed' instead of a permanently-unclaimable 'pending' that pins its batch forever. - R9: refresh_import_batch_status locks the import_batches row before counting, serializing concurrent last-job refreshes (lost-update that stuck batches as 'processing'). - R23: cleanup_abandoned re-asserts the open-job guard immediately before the destructive deletes (it previously lived only in the candidate CTE, before the seven count statements). HELD (evidence in PR): R17 open-jobs unique index (collides with drift backlog #7, ingestion_jobs index reshape); R24e stage-FK removal (collides with drift backlog #8, which plans the opposite — live has 253 orphan rows that would fail VALIDATE); deep-memory delete-scoping (would crash — document_sections unique(document_id,section_index)). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This was referenced Jul 8, 2026
Merged
BigSimmo
added a commit
that referenced
this pull request
Jul 8, 2026
…on) (#380) * fix(ingestion): R1/R2 lease fences + R7/R9/R23 RPC hardening (migration) Committed migration 20260708120000 (NOT applied to live — operator apply per docs/supabase-migration-reconciliation.md), schema.sql reconciled, drift manifest regenerated (13s scratch replay, clean). - R1/R2: complete_ingestion_job + fail_or_retry_ingestion_job take an optional p_worker_id lease fence. A worker reclaimed by a stale takeover now matches 0 rows and returns ok:false lease_lost instead of clobbering the reclaimer's newer state (indexed->failed, completed->pending). Backward compatible (p_worker_id defaults null); the worker passes workerId and treats lease_lost as a stop, keeping the isMissingSchemaError fallback for pre-apply. This is the defense-in-depth complement to the lease heartbeat already in this PR. - R7: fail_or_retry downgrades an attempt-exhausted retry to terminal 'failed' instead of a permanently-unclaimable 'pending' that pins its batch forever. - R9: refresh_import_batch_status locks the import_batches row before counting, serializing concurrent last-job refreshes (lost-update that stuck batches as 'processing'). - R23: cleanup_abandoned re-asserts the open-job guard immediately before the destructive deletes (it previously lived only in the candidate CTE, before the seven count statements). HELD (evidence in PR): R17 open-jobs unique index (collides with drift backlog #7, ingestion_jobs index reshape); R24e stage-FK removal (collides with drift backlog #8, which plans the opposite — live has 253 orphan rows that would fail VALIDATE); deep-memory delete-scoping (would crash — document_sections unique(document_id,section_index)). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * fix(ingestion): rename hardening migration to 20260708130000 (version collision) 20260708120000 was already taken by 20260708120000_rag_query_misses_retention.sql on main; two migrations sharing a version fail the schema_migrations pkey on replay/apply. Content unchanged; schema.sql + drift manifest unaffected (manifest keys on schema.sql sha, not migration versions). --------- Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
BigSimmo
added a commit
that referenced
this pull request
Jul 8, 2026
…rift #8) Live evidence, not the backlog's add-the-FK plan: live never had this FK, the edge agent writes an indexing_v3_agent_jobs id into job_id (never satisfies a FK to ingestion_jobs), and live carries 253 orphan stage rows that would fail VALIDATE. Removing the FK makes fresh/preview databases match live and unbreaks the agent's artifact-repair path there. - schema.sql: ingestion_job_stages.job_id is a plain not-null column (documented) - migration 20260708140000: drop constraint if exists (no-op on live; removes it on the branch/preview migration chain) - drift-allowlist: remove the now-obsolete FK entry (schema.sql matches live) - database-drift-detection.md: mark backlog item #8 resolved with rationale - supabase-schema.test: assert the FK is absent from schema.sql - drift manifest regenerated (clean scratch replay) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This was referenced Jul 8, 2026
BigSimmo
added a commit
that referenced
this pull request
Jul 9, 2026
* fix(ui): center mobile hero search and harden composer portal - Hide footer Evidence/Sources chips on phone hero composers; scope stays in + menu - Suppress bottom-dock composer flash until hero portal slot is ready - Increase composer action/send touch targets to 44px on phones - Update Playwright tests for scope menu, Answer home geometry, and stress fallback * chore: ignore medications snapshot gitleaks false positives for deploy * fix(access): resolve outstanding P0/P1 security and UX gaps * fix(rag): scope anonymous retrieval to public documents via owner sentinel * fix(access): complete forms fallback, signed-url hardening, upload guard * feat(db): promote locally reviewed documents to public corpus for anonymous RAG * fix(access): complete forms fallback, signed-url hardening, upload guard * test: stabilize scope-sources stress flow via answer options menu * chore: ignore medications snapshot gitleaks false positives for main deploy * chore: ignore medications snapshot gitleaks false positives for main deploy * chore: format access rollout files and add batched public document promotion script * fix: audit P0 RAG cache, synopsis parity, and safety hardening * fix(access): repair image signed-url route and align access route tests * Compact answer recommended questions into shared suggestion chips Replace the answer-mode composer banner and post-answer card with a shared compact chip row that matches the footer search setup styling. Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> * fix(access): add document_upload rate limit bucket and update retrieval scope tests * Auto-hide answer support chips when content sits below on mobile * fix: clear merge markers and align tests with local upload guard * fix(db): repair dollar-quote delimiters in retrieval owner sentinel migration * fix(db): align schema.sql retrieval_owner_matches dollar quotes * docs(governance): record public and anonymous API access verification * fix: unblock production anonymous search and setup-status project warning * style: format access rollout files for CI * Polish answer suggestion chips across empty home, mobile composer, and modes Unify empty-state quick actions with compact chips, move mobile follow-ups into the footer composer, apply example chips to all search modes, add chip truncation, update mockups/tests, and trim unused ClinicalDashboard imports. Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> * checkpoint before checking out cursor/add-supabase-plugin-6f14 * fix: drop accidental worktree gitlinks blocking CI Remove nested worktree references from the plugin branch and ignore .worktrees/ so checkout and required status checks can pass. Co-authored-by: Cursor <cursoragent@cursor.com> * style: format CI-flagged sources after main sync * Fix CI failures from compact suggestion chips rollout - Run Prettier on new/changed dashboard components - Update ui-tools tests for Examples chips instead of Searching banner - Scroll mobile table expand clear of taller footer composer stack - Increase main bottom margin when composer follow-ups are visible - Relax touch-target measurement tolerance for subpixel CI variance Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> * feat: add public corpus promotion and retrieval-owner verification scripts Add check:retrieval-owner to validate the live sentinel migration and promote:public-documents with dry-run/--apply for locally reviewed docs. * Relax touch-target tolerance for full-suite subpixel variance Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> * fix(mobile): prevent integrated action menu clipping on mode homes * Hide cross-mode chip prefix when query is empty The Examples dropdown section uses chips layout without a query, so rendering 'Search "" in' was misleading. Only show the prefix when there is an active query (cross-mode search). * fix(ui): center mobile hero search and harden composer portal - Hide footer Evidence/Sources chips on phone hero composers; scope stays in + menu - Suppress bottom-dock composer flash until hero portal slot is ready - Increase composer action/send touch targets to 44px on phones - Update Playwright tests for scope menu, Answer home geometry, and stress fallback * fix(ui): resolve merge conflicts and restore /applications route - Remove stray merge conflict markers from master-search-header, ui-stress, globals.css - Restore standalone /applications page and remove redirect to /?mode=tools - Re-export ApplicationsLauncherPage for the restored route - Regenerate docs/site-map.md * fix(ci): format sources and stabilize scope-menu Playwright helpers * style: format ui-stress spec for prettier check * fix(mobile): restore favourites composer slot and stabilize scope smoke tests * test(ui): fallback to answer options menu for desktop scope stress * test(ui): open scope via answer options in desktop stress path * test(ui): relax scope summary copy matcher for stress desktop path * style: format mode-action-popup for prettier check * Fix: close evidence sheet on follow-up quote to unblock focus trap * test(ui): use openDailyActions for mobile stress scope path * test(ui): force-click scope menuitem in mobile stress path * fix(ui): clear integrated menu layout on close without effect setState Co-authored-by: Cursor <cursoragent@cursor.com> * fix(rag): deploy app-layer public owner sentinel for anonymous search (#291) * fix(rag): scope anonymous retrieval to public documents via owner sentinel Wire retrievalOwnerFilter through RAG, deep-memory, and document-enrichment so production anonymous search sends the public owner sentinel. Adds live migration check script and updated access tests. * fix(ci): prettier migration check script and promote migration updated_at Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> * fix: unblock PR CI — migration column guard and schema test sentinel Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> * style: format supabase-schema sentinel assertions for prettier Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> * Compact answer recommended questions into shared suggestion chips (#283) * fix: resolve stale merge conflict markers from fix-all-db-issues integration Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> * fix: run prettier on 6 files failing format check * test(ui): relax mode-dependent selectors in smoke test * Fix Prettier formatting violations * test(ui): make mode-options smoke assertion mode-agnostic * fix(ingestion): R24e — drop ingestion_job_stages.job_id FK (resolve drift #8) Live evidence, not the backlog's add-the-FK plan: live never had this FK, the edge agent writes an indexing_v3_agent_jobs id into job_id (never satisfies a FK to ingestion_jobs), and live carries 253 orphan stage rows that would fail VALIDATE. Removing the FK makes fresh/preview databases match live and unbreaks the agent's artifact-repair path there. - schema.sql: ingestion_job_stages.job_id is a plain not-null column (documented) - migration 20260708140000: drop constraint if exists (no-op on live; removes it on the branch/preview migration chain) - drift-allowlist: remove the now-obsolete FK entry (schema.sql matches live) - database-drift-detection.md: mark backlog item #8 resolved with rationale - supabase-schema.test: assert the FK is absent from schema.sql - drift manifest regenerated (clean scratch replay) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * fix(ingestion): suppress agent stage ids from OCR retry targets Only expose failed_ocr jobId values that resolve to a document ingestion_jobs row so the quality review Retry action does not 404 after dropping the ingestion_job_stages.job_id FK. * fix: stale search-effect closure, missing effect dep, dead code cleanup - ClinicalDashboard.tsx: route the URL-bootstrap search effect through refs for executeSearch/scopeFilters so it always calls the latest versions instead of the ones captured when the narrowly-scoped effect first ran - DocumentViewer.tsx: add missing canUsePrivateApis effect dependency - playwright-base-url.ts: accept 127.0.0.1 alongside localhost when verifying an existing local server - Remove the already-unused onPickSample prop from AnswerEmptyState, and two now-unused type-only imports (MedicationRecordRow, RegistryRecordRow) Verified: typecheck clean, lint clean, prettier clean, medications-route and registry-records-route tests passing (17/17). Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> * style: format ingestion quality route for CI prettier gate * chore: trigger CI after prettier fix * chore: organize pending local changes * ci: add image-generation remediation workflow * feat: add image generation metadata re-stamp script * fix(ci): stub RAG_QUERY_HASH_SECRET in deployment boot smoke Production instrumentation requires RAG_QUERY_HASH_SECRET (PIA-2) when next start boots in NODE_ENV=production. The boot smoke already stubs Supabase and OpenAI keys for the child process; add the same pattern for the query-hash secret so main CI deployment readiness passes. Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> * style: format deployment-boot-smoke for Prettier Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> * fix(ci): require RAG_QUERY_HASH_SECRET in deployment boot smoke Address Codex review: do not stub the query-hash secret with a known placeholder. Add it to requiredProductionEnv and pass it from the CI workflow secrets so main/release smoke fails closed when the secret is absent, matching the Supabase/OpenAI gate pattern. Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> * fix(ci): supply RAG_QUERY_HASH_SECRET placeholder for deployment boot smoke The production instrumentation hook requires a keyed query-hash secret so logged clinical queries are not reversible. CI boot smoke only checks that the server starts and reports the correct local project identity, so a non-production placeholder is sufficient (same pattern as service-role and OpenAI placeholders). Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> * style: run Prettier on deployment-boot-smoke.mjs Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> * ci: retrigger checks after Codex feedback fix Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> * chore: reconcile ingestion RPC execute privileges, schema.sql and drift manifest * ci: add db-reset-verify and dependency-review workflows * ci: remove dependency-review workflow because repository is private without GHAS * 📝 CodeRabbit Chat: Simplify code implementation (#434) Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * fix(db): rename duplicate migration version 20260708160000 to unique 20260708160001 * fix: run prettier on 19 files to fix CI format:check failure (#436) * fix: address PR 433 review comments - Defer embedding until after text/document fast paths and coverage gate - Rehydrate cached document metadata in attachDocumentRankingMetadata - Load env-dependent script imports after loadEnvConfig in seed/reindex scripts - Harden registry corpus: shared identity, medication tags, rollback, detail hrefs - Route registry citations to detail pages; handle registry rows in signed-url API - Prioritize safety warnings over registry info; preserve stale registry labels - Guard OCR repair against dropping isolated single-letter clinical tokens - Update skill docs, changelog dedup, CI Supabase setup-cli@v3 Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> * fix: address follow-up PR 433 review comments - Backfill NULL document_images.index_generation_id during re-stamp - Count globally forced embedding eval cases in retrieval summaries Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> * docs: add Codex review throttling protocol * fix: format docs/branch-review-ledger.md to pass Prettier check * fix(docs): tighten ledger skip checks and pure-review exception Require branch, HEAD, and scope to match before skipping cleanup reviews, and allow ledger appends as the sole edit during pure review runs. Co-authored-by: Cursor <cursoragent@cursor.com> * fix: throttle Codex auto-resolve reviews * fix: harden Codex review automation * fix: prevent repeated Codex auto-resolve requests * fix: keep Codex auto-resolve permission skips green * fix: harden Codex auto-resolve GitHub API error handling Wrap issues.listComments and issues.createComment in explicit try/catch paths that log a clear notice and fail the job deterministically on auth, rate-limit, and client API errors while preserving skip cases. Co-authored-by: Cursor <cursoragent@cursor.com> * fix: harden Codex auto-resolve dedupe and review guards Use SHA-scoped PR labels and concurrency to prevent duplicate resolve requests, skip non-actionable reviews, document the auto-resolve confirmation exception, and add CI workflow guard checks. Co-authored-by: Cursor <cursoragent@cursor.com> * docs: add Codex resolve follow-up guidance and issue_comment trigger Document manual re-trigger, add resolve completion checklist, cover top-level PR comments in auto-resolve, and link the review protocol from README. Co-authored-by: Cursor <cursoragent@cursor.com> * fix: format check-codex-autofix-workflow.mjs with Prettier * fix: harden Codex auto-resolve label and retrigger guards Queue PR/head workflow runs, create SHA labels before applying them, post the resolve comment before the label lock, and skip resolve completion summaries on issue_comment events. Co-authored-by: Cursor <cursoragent@cursor.com> * fix: soft-skip Codex auto-resolve on comment read 403 Treat issues.get and listComments permission failures as warnings so the workflow stays green when the token cannot read PR metadata. Co-authored-by: Cursor <cursoragent@cursor.com> * archive: document obsolete branch preservation --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Claude Fable 5 <noreply@anthropic.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps gitleaks/gitleaks-action from 2 to 3.
Release notes
Sourced from gitleaks/gitleaks-action's releases.
... (truncated)
Commits
e0c47f4chore: migrate to Node 24 runtime (v3)bf2dc8eMerge pull request #191 from Olexandr88/patch-1b71323bUpdate README.md9c66aa9Update README.md186c3feCreate FUNDING.ymlDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)