Separate silent issue metadata sync from public retest guidance so maintainer edits and reporter-facing comments do not share the same workflow boundary. Extract the shared parsing and classification logic into a local helper with a small node test so both workflows stay in sync without duplicating the script.
Keep issue version labels in sync on edits, but only post retest guidance on opened or reopened reporter issues and skip maintainer-authored issues. This prevents maintainer bulk triage from generating public GitHub Actions noise.
The /tmp directory on the demo server isn't writable by the relay
user, causing the verification step's cookie file to silently fail.
This meant the /api/state request had no session cookie and returned
401, making the node count check report 0 nodes.
Use $HOME instead of /tmp for the cookie file path.
The integration_tests job restores the pre-built frontend dist from
cache and copies it to the embed location, but then runs make build
which unconditionally rebuilds the frontend via npm — failing because
node_modules aren't installed. Use go build directly since the
frontend is already embedded.
Add three layers of secret leak prevention:
1. .gitleaks.toml — config extending the default ruleset (~150 rules for
AWS, GCP, Stripe, OpenAI, private keys, JWTs, etc.) with allowlists
tuned to suppress false positives from test fixtures and docs.
2. .husky/pre-commit — enhanced with gitleaks protect --staged (graceful
skip if not installed), sensitive file type blocking (.pem, .key, .enc,
id_rsa, etc.), and broadened fallback patterns covering AWS, OpenAI,
GCP, and private key headers alongside existing Stripe checks.
3. .github/workflows/build-and-test.yml — new secret-scan CI job using
gitleaks-action that runs in parallel with build on every push/PR,
serving as the last gate if someone bypasses local hooks.
