07afa94d19
Add three layers of secret leak prevention: 1. .gitleaks.toml — config extending the default ruleset (~150 rules for AWS, GCP, Stripe, OpenAI, private keys, JWTs, etc.) with allowlists tuned to suppress false positives from test fixtures and docs. 2. .husky/pre-commit — enhanced with gitleaks protect --staged (graceful skip if not installed), sensitive file type blocking (.pem, .key, .enc, id_rsa, etc.), and broadened fallback patterns covering AWS, OpenAI, GCP, and private key headers alongside existing Stripe checks. 3. .github/workflows/build-and-test.yml — new secret-scan CI job using gitleaks-action that runs in parallel with build on every push/PR, serving as the last gate if someone bypasses local hooks. |
||
|---|---|---|
| .. | ||
| build-and-test.yml | ||
| create-release.yml | ||
| deploy-demo-server.yml | ||
| eval-model-matrix.yml | ||
| helm-ci.yml | ||
| helm-pages.yml | ||
| promote-floating-tags.yml | ||
| publish-docker.yml | ||
| publish-helm-chart.yml | ||
| README.md | ||
| release-dry-run.yml | ||
| test-e2e.yml | ||
| test-updates.yml | ||
| update-demo-server.yml | ||
| validate-release-assets.yml | ||
GitHub Actions Workflows
Update Demo Server
File: update-demo-server.yml
Automatically updates the public demo server when a new stable release is published.
Configuration Required
Add these secrets to your GitHub repository settings (Settings → Secrets and variables → Actions):
-
DEMO_SERVER_SSH_KEY
- The private SSH key for accessing the demo server
- Generate with:
cat ~/.ssh/id_ed25519(or your key file) - Should be the full private key including
-----BEGINand-----ENDlines
-
DEMO_SERVER_HOST
- The hostname or IP of the demo server
- Value:
174.138.72.137(or hostname if using DNS)
-
DEMO_SERVER_USER
- The SSH username for the demo server
- Value:
root(or the appropriate user with sudo access)
How It Works
- Trigger: Runs automatically when a GitHub release is published
- Filter: Only runs for stable releases (skips RC/pre-releases)
- Update: SSHs to demo server and runs the install script
- Verify: Checks that the new version is running and mock mode is active
- Cleanup: Removes SSH key from runner
Testing
To test without publishing a release:
- Go to
Actionstab in GitHub - Select
Update Demo Serverworkflow - Click
Run workflow(if manual trigger is enabled)
Benefits
- ✅ Demo server always showcases latest stable release
- ✅ Validates install script works on real server
- ✅ Removes manual step from release process
- ✅ Free to run (public repos get unlimited GitHub Actions minutes)
Helm CI
File: helm-ci.yml
Runs helm lint --strict and renders the chart with common configuration combinations on every pull request that touches Helm content (and on pushes to main). This prevents regressions before they land.
- Triggered by PRs/pushes touching
deploy/helm/**, docs, or the workflow itself - Uses Helm v3.15.2
- Renders both the default deployment and an agent-enabled configuration to catch template issues
Publish Helm Chart
File: publish-helm-chart.yml
Packages the Helm chart and pushes it to the GitHub Container Registry (OCI) whenever a GitHub Release is published. Also makes the packaged .tgz available as both an Actions artifact and a release asset. The same behaviour can be triggered locally via ./scripts/package-helm-chart.sh <version> [--push].
- Triggered automatically on
release: published, or manually via workflow dispatch (requireschart_versioninput) - Chart and app versions mirror the Pulse release tag (e.g.,
v4.24.0→4.24.0) - Publishes to
oci://ghcr.io/<owner>/pulse-chart - Requires no additional secrets—uses the built-in
GITHUB_TOKENwithpackages: writepermission