From 9d58f07c92477fe0666706084f04213cd81d5d45 Mon Sep 17 00:00:00 2001
From: KaramelBytes <jeremiahhenning@hotmail.com>
Date: Wed, 15 Oct 2025 22:13:24 +0800
Subject: [PATCH] ci: improve secret scanning and test coverage

---
 .github/workflows/ci.yml | 31 +++++++++++++++++++++++++------
 .gitleaks.toml           | 27 +++++++++++++++++++++++++++
 2 files changed, 52 insertions(+), 6 deletions(-)
 create mode 100644 .gitleaks.toml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 61bb5c5..beba667 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,20 +8,28 @@ on:
 
 jobs:
   secret-scan:
+    permissions:
+      contents: read  # Needed for GITHUB_TOKEN to access repo
+      security-events: write  # Required for Gitleaks to report findings
+      actions: read  # For GitHub Actions API access
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Needed for Gitleaks to work properly
       - name: Gitleaks Secret Scan
         uses: gitleaks/gitleaks-action@v2
         with:
-          args: detect --redact --no-banner --exit-code 1
+          config-path: .gitleaks.toml
 
   lint:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
@@ -32,18 +40,29 @@ jobs:
           version: latest
           args: --timeout=3m
 
-  build-test:
+  test:
+    needs: lint
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Setup Go
+      - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version: '1.22.x'
+      - name: Get dependencies
+        run: go mod tidy
       - name: Vet
         run: go vet ./...
       - name: Build
-        run: go build ./...
-      - name: Test (race + cover)
-        run: go test ./... -race -cover
+        run: go build -v ./...
+      - name: Test with coverage
+        run: |
+          mkdir -p coverage
+          go test -race -coverprofile=coverage/coverage.txt -covermode=atomic ./...
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          file: ./coverage/coverage.txt
+          fail_ci_if_error: false
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..76c6f63
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,27 @@
+title = "DocLoom Secret Scanning"
+version = "9.14.3"
+
+[allowlist]
+description = "Allow common false positives"
+paths = [
+  "^docs/",
+  "^examples/",
+  "^README\\.md$",
+  "^CHANGELOG\\.md$",
+  "^cmd/",
+  "^internal/",
+  "^test/",
+  "_test\\.go$",
+  "fixtures/",
+  "testdata/",
+  "^vendor/"
+]
+regexes = [
+  "127\\.0\\.0\\.1",
+  "localhost",
+  "token",
+  "internal",
+  "secret",
+  "password",
+  "key"
+]