fix(ci+license): stop secrets-scan false positives on docs; LICENSE → Apache-2.0#2
Merged
Merged
Conversation
…ICENSE to Apache-2.0 CI (check-secrets.yml): - Skip the bare 0x+64hex Ethereum-key heuristic for Markdown files. This is a blockchain docs repo where 64-hex tokens are tx/UserOp hashes, bytes32 role constants, and contract bytecode (TypeDoc-generated API reference) — never private keys. Previously every push failed the scan. - Anchor the Ethereum-key regex to EXACTLY 64 hex (non-hex boundaries) so a 64-char substring of longer bytecode no longer matches in source files. - Strengthen the contextual private-key pattern to also catch quoted leaks (PRIVATE_KEY = "0x..."); this runs on every file incl. Markdown and is the safety net that lets the bare-hex heuristic safely skip docs. License: - Replace root LICENSE (was full GPL-3.0 text, a leftover from initial commit) with the Apache-2.0 license text the project actually intends — matching NOTICE, the site footer, and changelog. - Align latest (root) MIT license declarations to Apache-2.0 in README, guide/getting-started, zh/guide/getting-started, guide(/docs)/API_REFERENCE. - Archived /0.16.23/ snapshot intentionally left with its historical MIT text. Note: api/** and zh/guide/sdk-readme.md MIT badges are SDK-generated/synced and must be fixed upstream in aastar-sdk (they regenerate).
Deploying aastar-docs with
|
| Latest commit: |
e0253d7
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://b594909a.aastar-docs.pages.dev |
| Branch Preview URL: | https://fix-secrets-scan-and-license.aastar-docs.pages.dev |
clestons
approved these changes
Jun 18, 2026
clestons
left a comment
clestons
left a comment
There was a problem hiding this comment.
clestons review — #2 [4-round, APPROVE]
fix(ci+license): stop secrets-scan false positives on docs; LICENSE → Apache-2.0 — CI 正则修复正确,license 一致性修复完整,四轮通过。
CI 安全扫描修改确认
ETHEREUM_KEY_PATTERN 边界正确 ✅
ETHEREUM_KEY_PATTERN='(^|[^a-fA-F0-9])0x[a-fA-F0-9]{64}([^a-fA-F0-9]|$)'非 hex 边界防止 bytecode 长串中的 64 字符子串误命中,(^|...) 在 GNU/macOS grep -E 均正常工作。
.md 豁免范围精确 ✅
case "$FILE" in
*.md) ;; # 仅精确匹配 .md 后缀,不影响 .md.bak 等
*) if grep -nE "$ETHEREUM_KEY_PATTERN" "$FILE" ...
esacPRIVATE_KEY_WITH_VALUE_PATTERN shell quoting 正确 ✅
赋值串拆解:
SQ1: 'private[_-]key[[:space:]]*[:=][[:space:]]*["' → literal ["
DQ: "'" → literal '
SQ2: '`]?0x[a-fA-F0-9]{32,}' → 反引号在单引号内 = 字面量,非命令替换
最终 ERE: private[_-]key[[:space:]]*[:=][[:space:]]*["'`]?0x[a-fA-F0-9]{32,}
捕获 PRIVATE_KEY = 0x... / "0x..." / '0x...' / `0x...` 四种形式 ✅;对所有文件(含 markdown)生效 ✅
grep 变量均已双引号保护 ✅
grep -nE "$ETHEREUM_KEY_PATTERN" "$FILE" — S1/S2 均为 Codex 误报,REJECT
本地验证覆盖 ✅(PR 描述):原误报文件已 CLEAN;真实私钥三种引号风格仍被捕获;占位符不误报;bytecode 不报,code 文件裸 64-hex key 仍报。
LICENSE 修复确认 ✅
根 LICENSE 从 GPL-3.0 全文(674行)替换为 Apache-2.0(201行),与 NOTICE / footer / changelog 声明一致。归档 /0.16.23/ 保留历史 MIT,未改动(与 PR #1 判断一致)。
[Info] M1 — markdown 裸私钥无标签漏报
.md 文件中若有人直接粘贴 0x<64hex> 而不带 private_key = 标签,当前任何 pattern 均不捕获。对文档仓库可接受(PEM/云密钥/OpenAI key 检测仍对 markdown 生效作为 fallback)。可选方向:进一步收窄豁免范围(如仅在 hex token 前有 hash/role/bytecode 关键词时豁免),但不阻塞本 PR。
轮次摘要
- R1 DeepSeek:跳过(CI 安全扫描变更,升为 4-round)
- R2 Sonnet:正则边界 ✅,md 豁免精确 ✅,PRIVATE_KEY 3 引号 ✅,GPL→Apache ✅,M1 [Info]
- R3 Codex:MISSED S1(grep 变量未加引号)/ S2(反引号命令替换)→ 均 REJECT(变量已双引号,反引号在单引号串内);CONFIRM M1
- Opus verdict:APPROVE — 无阻塞项;S1/S2 REJECT 已验证;M1 docs 仓库可接受
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
背景
合并 #1 后,
Scan for Private Keys and SecretsCI 在 main 上每次 push 都会变红;另外根LICENSE实际是 GPL-3.0 全文,与 NOTICE / 站点 footer / changelog 声称的 Apache-2.0 矛盾。本 PR 修这两点。#1 secrets 扫描误报(
.github/workflows/check-secrets.yml)扫描把
0x+64hex 一律当以太坊私钥,但本仓库的 64-hex 全是交易/UserOp 哈希、bytes32 角色常量、合约 bytecode(TypeDoc 生成的 API 文档),无一是私钥。.md纯噪音。PRIVATE_KEY = "0x..."这类带引号泄露。该检测对**所有文件(含 markdown)**生效,是裸 hex 对 docs 放行后的安全网。本地验证:之前误报的
*Artifact.md/DEFAULT_ADMIN_ROLE.md/real-l3-demo-log.md/technical_plan.md现全部 CLEAN;真私钥(三种引号风格)写入 md 仍被捕获;占位符YOUR_EOA_PRIVATE_KEY不误报;代码文件里 bytecode 不报、裸 64-hex key 仍报;YAML 合法。#2 LICENSE 纠正为 Apache-2.0
LICENSE(initial commit 残留的 GPL-3.0 全文)替换为 Apache-2.0 正文,与 NOTICE/footer/changelog 一致。/0.16.23/保留历史 MIT,未改动。已知 / 后续(需 SDK 侧处理)
api/**与zh/guide/sdk-readme.md的 MIT 徽章是 SDK 生成/同步内容,会随下次同步覆盖,应在aastar-sdk仓库上游修复,本 PR 未改。