CI: restore main detect-secrets scan (#38438)

* Tests: stabilize detect-secrets fixtures * Tests: fix rebased detect-secrets false positives * Docs: keep snippets valid under detect-secrets * Tests: finalize detect-secrets false-positive fixes * Tests: reduce detect-secrets false positives * Tests: keep detect-secrets pragmas inline * Tests: remediate next detect-secrets batch * Tests: tighten detect-secrets allowlists * Tests: stabilize detect-secrets formatter drift
2026-04-25 23:47:20 +00:00 · 2026-03-07 13:06:35 -05:00
parent 46e324e269
commit e4d80ed556
137 changed files with 1231 additions and 2700 deletions
--- a/src/wizard/onboarding.gateway-config.test.ts
+++ b/src/wizard/onboarding.gateway-config.test.ts
@@ -145,7 +145,7 @@ describe("configureGatewayForOnboarding", () => {

  it("honors secretInputMode=ref for gateway password prompts", async () => {
    const previous = process.env.OPENCLAW_GATEWAY_PASSWORD;
-    process.env.OPENCLAW_GATEWAY_PASSWORD = "gateway-secret";
+    process.env.OPENCLAW_GATEWAY_PASSWORD = "gateway-secret"; // pragma: allowlist secret
    try {
      const prompter = createPrompter({
        selectQueue: ["loopback", "password", "off", "env"],
@@ -159,7 +159,7 @@ describe("configureGatewayForOnboarding", () => {
        nextConfig: {},
        localPort: 18789,
        quickstartGateway: createQuickstartGateway("password"),
-        secretInputMode: "ref",
+        secretInputMode: "ref", // pragma: allowlist secret
        prompter,
        runtime,
      });
@@ -195,7 +195,7 @@ describe("configureGatewayForOnboarding", () => {
        nextConfig: {},
        localPort: 18789,
        quickstartGateway: createQuickstartGateway("token"),
-        secretInputMode: "ref",
+        secretInputMode: "ref", // pragma: allowlist secret
        prompter,
        runtime,
      });
--- a/src/wizard/onboarding.secret-input.test.ts
+++ b/src/wizard/onboarding.secret-input.test.ts
@@ -19,7 +19,7 @@ describe("resolveOnboardingSecretInputString", () => {
      value: "${OPENCLAW_GATEWAY_PASSWORD}",
      path: "gateway.auth.password",
      env: {
-        OPENCLAW_GATEWAY_PASSWORD: "gateway-secret",
+        OPENCLAW_GATEWAY_PASSWORD: "gateway-secret", // pragma: allowlist secret
      },
    });

--- a/src/wizard/onboarding.test.ts
+++ b/src/wizard/onboarding.test.ts
@@ -400,7 +400,7 @@ describe("runOnboardingWizard", () => {

  it("resolves gateway.auth.password SecretRef for local onboarding probe", async () => {
    const previous = process.env.OPENCLAW_GATEWAY_PASSWORD;
-    process.env.OPENCLAW_GATEWAY_PASSWORD = "gateway-ref-password";
+    process.env.OPENCLAW_GATEWAY_PASSWORD = "gateway-ref-password"; // pragma: allowlist secret
    probeGatewayReachable.mockClear();
    readConfigFileSnapshot.mockResolvedValueOnce({
      path: "/tmp/.openclaw/openclaw.json",
@@ -462,7 +462,7 @@ describe("runOnboardingWizard", () => {
    expect(probeGatewayReachable).toHaveBeenCalledWith(
      expect.objectContaining({
        url: "ws://127.0.0.1:18789",
-        password: "gateway-ref-password",
+        password: "gateway-ref-password", // pragma: allowlist secret
      }),
    );
  });
@@ -484,7 +484,7 @@ describe("runOnboardingWizard", () => {
        skipSearch: true,
        skipHealth: true,
        skipUi: true,
-        secretInputMode: "ref",
+        secretInputMode: "ref", // pragma: allowlist secret
      },
      runtime,
      prompter,
@@ -492,7 +492,7 @@ describe("runOnboardingWizard", () => {

    expect(configureGatewayForOnboarding).toHaveBeenCalledWith(
      expect.objectContaining({
-        secretInputMode: "ref",
+        secretInputMode: "ref", // pragma: allowlist secret
      }),
    );
  });