feat(ci): Phase 2.5 - CI guardrails for public repo

P2.5-001: Secrets scanning CI
- GitHub Actions workflow with Gitleaks
- Fallback grep scan for common patterns
- Runs on PR + push to main/production

P2.5-002: Build + lint workflow
- Installs deps, runs lint, typecheck, build
- Runs redaction tests
- Verifies dist output exists

P2.5-003: CONTRIBUTING.md
- Local dev setup instructions
- PR checklist (tests + secrets)
- Coding conventions
- Key rotation guide (docs/security/KEY_ROTATION.md)

QA smoke results:
- Build passes
- Workflows syntax valid
- .github no longer gitignored
This commit is contained in:
Eric
2026-02-08 10:59:20 -05:00
parent 515a961262
commit 31a70629f2
6 changed files with 493 additions and 1 deletions

2
.gitignore vendored
View File

@@ -23,4 +23,4 @@ docs/RELEASE-SETUP.md
docs/PHASE-3-ACTION-PLAN.md
docs/TAURI-PACKAGING-PLAN.md
.env.local
.github/
# Keep .github/workflows for CI