From 9e2dd28bc0b7ea8f81f340946b146e1d0f2a4fa5 Mon Sep 17 00:00:00 2001 From: Jon Buckley Date: Sun, 23 Nov 2025 15:42:32 -0500 Subject: [PATCH 1/6] fix(ci): Update detect-secrets plugin and generate baseline --- .pre-commit-config.yaml | 2 +- .secrets.baseline | 119 ++++++++++++++++++++++++++++++++++------ 2 files changed, 102 insertions(+), 19 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c126db09..346061fe 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -22,7 +22,7 @@ repos: hooks: - id: check-useless-excludes - repo: https://github.com/Yelp/detect-secrets - rev: v0.13.0 + rev: v1.5.0 hooks: - id: detect-secrets args: ['--baseline', '.secrets.baseline'] diff --git a/.secrets.baseline b/.secrets.baseline index 085355c6..9629c8ba 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -1,54 +1,137 @@ { - "exclude": { - "files": null, - "lines": null - }, - "generated_at": "2020-04-03T02:39:25Z", + "version": "1.5.0", "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, { "name": "AWSKeyDetector" }, { - "name": "ArtifactoryDetector" + "name": "AzureStorageKeyDetector" }, { - "base64_limit": 4.5, - "name": "Base64HighEntropyString" + "name": "Base64HighEntropyString", + "limit": 4.5 }, { "name": "BasicAuthDetector" }, { - "hex_limit": 3, - "name": "HexHighEntropyString" + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "GitLabTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "IPPublicDetector" }, { "name": "JwtTokenDetector" }, { - "keyword_exclude": null, - "name": "KeywordDetector" + "name": "KeywordDetector", + "keyword_exclude": "" }, { "name": "MailchimpDetector" }, + { + "name": "NpmDetector" + }, + { + "name": "OpenAIDetector" + }, { "name": "PrivateKeyDetector" }, + { + "name": "PypiTokenDetector" + }, + { + "name": "SendGridDetector" + }, { "name": "SlackDetector" }, { "name": "SoftlayerDetector" }, + { + "name": "SquareOAuthDetector" + }, { "name": "StripeDetector" + }, + { + "name": "TelegramBotTokenDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" } ], - "results": {}, - "version": "0.13.0", - "word_list": { - "file": null, - "hash": null - } + "results": { + "docs/SRE_INFO.md": [ + { + "type": "Hex High Entropy String", + "filename": "docs/SRE_INFO.md", + "hashed_secret": "19f5128f9b42e46e7ec93f4fc2882c9906c63fc2", + "is_verified": false, + "line_number": 73 + } + ] + }, + "generated_at": "2025-11-23T20:47:13Z" } From 095d14a3dfd572d8c335bcb75e072db37e147f33 Mon Sep 17 00:00:00 2001 From: Jon Buckley Date: Sun, 23 Nov 2025 15:54:01 -0500 Subject: [PATCH 2/6] fix(ci): Changes from trailing-whitespace plugin --- docs/refractr-architecture.md | 2 +- examples/complex-redirect.yml | 1 - examples/complex-rewrite-with-if-and-redirect.yml | 1 - examples/simple-multiple-sources.yml | 1 - examples/simple-single-source.yml | 1 - refractr/image/refractr.sh | 1 - 6 files changed, 1 insertion(+), 6 deletions(-) diff --git a/docs/refractr-architecture.md b/docs/refractr-architecture.md index f76a0227..4aee4799 100644 --- a/docs/refractr-architecture.md +++ b/docs/refractr-architecture.md @@ -29,7 +29,7 @@ The refractr.yml spec allows for specifying tests in the form of given-source to ### minimal changes Due to the nature of redirects and rewrites it is common to add new domains or subtract old ones. This means that the nginx config needs to be told which are the valid list of domains and update them when deploying a new refractr Docker image to GKE. When a new version of the refractr image is pushed to prod, redirects are already live. -In a second step, certificates must be created and linked to refractr's Loadbalancer -- this step currently requires a second PR to be opened after deployment. All certificates are managed with GCP's certificate manager api and attached to the Loadbalancer by a certmap, we manage all of those resources via terraform in refractr's infrastructure project. +In a second step, certificates must be created and linked to refractr's Loadbalancer -- this step currently requires a second PR to be opened after deployment. All certificates are managed with GCP's certificate manager api and attached to the Loadbalancer by a certmap, we manage all of those resources via terraform in refractr's infrastructure project. ## refractr traffic flow Traffic flow to refractr starts with DNS. A domain that should be handled by the system must be pointed to it's Loadbalancer, usually by a CNAME, in some cases, by A / AAAA records. Once a request reaches the Loadbalancer, we force HTTPS, then forward to the actual application pods, which then handle individual redirects as configured. diff --git a/examples/complex-redirect.yml b/examples/complex-redirect.yml index 1efe90cd..6239ef70 100644 --- a/examples/complex-redirect.yml +++ b/examples/complex-redirect.yml @@ -59,4 +59,3 @@ validate: - 301 http://lockwise.firefox.com/ -> https://www.mozilla.org/firefox/lockwise/ MATCHED test-result: MATCHED validate-result: SUCCESS - diff --git a/examples/complex-rewrite-with-if-and-redirect.yml b/examples/complex-rewrite-with-if-and-redirect.yml index dab5da8e..45ec1dad 100644 --- a/examples/complex-rewrite-with-if-and-redirect.yml +++ b/examples/complex-rewrite-with-if-and-redirect.yml @@ -68,4 +68,3 @@ validate: hops: - 301 http://en-uk.start.mozilla.com/ -> https://start.mozilla.org/en-uk/ MATCHED test-result: MATCHED - diff --git a/examples/simple-multiple-sources.yml b/examples/simple-multiple-sources.yml index 57b4329e..75cf717b 100644 --- a/examples/simple-multiple-sources.yml +++ b/examples/simple-multiple-sources.yml @@ -41,4 +41,3 @@ validate: - 301 http://labs.mozilla.com -> https://labs.mozilla.org/ MATCHED test-result: MATCHED validate-result: SUCCESS - diff --git a/examples/simple-single-source.yml b/examples/simple-single-source.yml index 70a92c5c..8dfb0083 100644 --- a/examples/simple-single-source.yml +++ b/examples/simple-single-source.yml @@ -31,4 +31,3 @@ validate: - 301 http://wiki.mozilla.com -> https://wiki.mozilla.org/ MATCHED test-result: MATCHED validate-result: SUCCESS - diff --git a/refractr/image/refractr.sh b/refractr/image/refractr.sh index 68b906fe..d2391e27 100755 --- a/refractr/image/refractr.sh +++ b/refractr/image/refractr.sh @@ -44,4 +44,3 @@ case "$ACTION" in exit 1 ;; esac - From 2372f790f5e9f63160adb30c591433525f355e1e Mon Sep 17 00:00:00 2001 From: Jon Buckley Date: Sun, 23 Nov 2025 16:02:11 -0500 Subject: [PATCH 3/6] fix(ci): Use any available version of python --- .pre-commit-config.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 346061fe..964f485d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,8 +5,6 @@ # Available pre-commit hooks # https://pre-commit.com/hooks.html -default_language_version: - python: python3.7 fail_fast: true repos: - repo: https://github.com/pre-commit/pre-commit-hooks From 4393911104f44bac9f0963a3a3cd360259adfbda Mon Sep 17 00:00:00 2001 From: Jon Buckley Date: Sun, 23 Nov 2025 16:03:22 -0500 Subject: [PATCH 4/6] fix(ci): Use a maintained jsonschema validator --- .pre-commit-config.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 964f485d..7aadfd8f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -24,8 +24,9 @@ repos: hooks: - id: detect-secrets args: ['--baseline', '.secrets.baseline'] -- repo: https://github.com/mozilla-it/jsonschema-on-yaml - rev: main +- repo: https://github.com/python-jsonschema/check-jsonschema + rev: 0.35.0 hooks: - - id: jsonschema-on-yaml - args: ['refractr/refractr.yml', 'refractr/schema.yml'] \ No newline at end of file + - id: check-jsonschema + files: 'refractr\.yml$' + args: ['--schemafile', 'refractr/schema.json'] From a5b30b17e233f8391ce49a291f05c286f6d29f07 Mon Sep 17 00:00:00 2001 From: Jon Buckley Date: Sun, 23 Nov 2025 16:04:08 -0500 Subject: [PATCH 5/6] fix(ci): Run pre-commit on PRs and main --- .github/workflows/pre-commit.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/pre-commit.yaml diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml new file mode 100644 index 00000000..37ceaf5c --- /dev/null +++ b/.github/workflows/pre-commit.yaml @@ -0,0 +1,24 @@ +name: pre-commit + +on: + pull_request: {} + push: + branches: main + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + pre-commit: + runs-on: ubuntu-latest + steps: + - name: Clone Repository + uses: actions/checkout@v6 + - name: Install uv + uses: astral-sh/setup-uv@v7 + - name: Install pre-commit + shell: bash + run: uv tool install pre-commit --with pre-commit-uv + - run: pre-commit run --show-diff-on-failure --color=always --all-files + shell: bash From bf879ef8922c3fef3dc7f110fc32d36e5fb7f59a Mon Sep 17 00:00:00 2001 From: Jon Buckley Date: Sun, 23 Nov 2025 14:17:16 -0500 Subject: [PATCH 6/6] fix: Add missing `:` --- prod-refractr.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/prod-refractr.yml b/prod-refractr.yml index 7bd178cf..61b6b083 100644 --- a/prod-refractr.yml +++ b/prod-refractr.yml @@ -1228,17 +1228,17 @@ refracts: - www.browseagainstthemachine.com # SREIN-636 -- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=downloadfirefox-us +- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=downloadfirefox-us: - downloadfirefox.us - www.downloadfirefox.us # SREIN-636 -- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=fire-fox-us +- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=fire-fox-us: - fire-fox.us - www.fire-fox.us # SREIN-636 -- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=mozillafirefox-us +- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=mozillafirefox-us: - mozillafirefox.us - www.mozillafirefox.us @@ -1265,6 +1265,6 @@ refracts: - www.mozillastore.com # SREIN-636 -- viewsourceconf.org/ +- viewsourceconf.org/: - viewsourceconf.com - www.viewsourceconf.com