fix(ci+license): stop secrets-scan false positives on docs; LICENSE → Apache-2.0

.github/workflows/check-secrets.yml

@@ -48,8 +48,15 @@ jobs:
           echo -e "${BLUE}📋 Scanning ${FILE_COUNT} file(s) for secrets...${NC}\n"
 
           # 检测模式
-          # 1. Ethereum private key: 0x + 64 hex chars
-          ETHEREUM_KEY_PATTERN='0x[a-fA-F0-9]{64}'
+          # 1. Ethereum private key: 0x + EXACTLY 64 hex chars (bounded by non-hex).
+          #    The non-hex boundaries prevent matching a 64-char *substring* of
+          #    longer contiguous hex such as contract bytecode. This bare-hex
+          #    heuristic is ONLY applied to source/config files — it is skipped
+          #    for Markdown docs, where 64-hex tokens are overwhelmingly tx
+          #    hashes / bytes32 constants / bytecode, not secrets. A real key
+          #    pasted into a doc with a label is still caught by
+          #    PRIVATE_KEY_WITH_VALUE_PATTERN, which runs on every file.
+          ETHEREUM_KEY_PATTERN='(^|[^a-fA-F0-9])0x[a-fA-F0-9]{64}([^a-fA-F0-9]|$)'
 
           # 2. PEM format private keys
           PEM_PATTERN='BEGIN.*PRIVATE KEY'
@@ -60,8 +67,12 @@ jobs:
           # 4. AWS secret key
           AWS_SECRET_PATTERN='aws_secret_access_key[[:space:]]*=[[:space:]]*[a-zA-Z0-9/+]{40}'
 
-          # 5. Private key with actual hex value
-          PRIVATE_KEY_WITH_VALUE_PATTERN='private[_-]key[[:space:]]*[:=][[:space:]]*0x[a-fA-F0-9]{32,}'
+          # 5. Private key with actual hex value. Allows an optional opening
+          #    quote (" ' or `) between the assignment and 0x, so quoted leaks
+          #    like  PRIVATE_KEY = "0x..."  are caught. This contextual check
+          #    runs on EVERY file (incl. Markdown) and is the safety net that
+          #    lets the bare-hex heuristic above safely skip docs.
+          PRIVATE_KEY_WITH_VALUE_PATTERN='private[_-]key[[:space:]]*[:=][[:space:]]*["'"'"'`]?0x[a-fA-F0-9]{32,}'
 
           # 6. OpenAI API keys (sk-... or sk-proj-...)
           OPENAI_KEY_PATTERN='sk-[a-zA-Z0-9]{48,}'
@@ -91,14 +102,24 @@ jobs:
             fi
 
             FINDINGS=""
-
-            # Check Ethereum keys
-            if grep -nE "$ETHEREUM_KEY_PATTERN" "$FILE" > /dev/null 2>&1; then
-              FINDINGS="${FINDINGS}   [CRITICAL] Ethereum Private Key (256-bit hex)\n"
-              FINDINGS="${FINDINGS}$(grep -nE "$ETHEREUM_KEY_PATTERN" "$FILE" | head -3 | sed 's/^/     /')\n"
-              FOUND_SECRETS=1
-              TOTAL_FINDINGS=$((TOTAL_FINDINGS + 1))
-            fi
+
+            # Check Ethereum keys (bare 64-hex heuristic) — skip Markdown docs.
+            # This is a blockchain docs repo: generated API reference (contract
+            # bytecode, bytes32 role constants) and demo logs (tx / UserOp
+            # hashes) are full of 64-hex tokens that are NOT private keys. The
+            # contextual checks below (PRIVATE_KEY_WITH_VALUE_PATTERN, PEM,
+            # cloud API keys) still run on every file, including Markdown.
+            case "$FILE" in
+              *.md) ;;  # docs: bare 64-hex is expected (hashes/bytecode/bytes32)
+              *)
+                if grep -nE "$ETHEREUM_KEY_PATTERN" "$FILE" > /dev/null 2>&1; then
+                  FINDINGS="${FINDINGS}   [CRITICAL] Ethereum Private Key (256-bit hex)\n"
+                  FINDINGS="${FINDINGS}$(grep -nE "$ETHEREUM_KEY_PATTERN" "$FILE" | head -3 | sed 's/^/     /')\n"
+                  FOUND_SECRETS=1
+                  TOTAL_FINDINGS=$((TOTAL_FINDINGS + 1))
+                fi
+                ;;
+            esac
 
             # Check PEM keys
             if grep -nE "$PEM_PATTERN" "$FILE" > /dev/null 2>&1; then