diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index a2868a5..2563a7e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -33,10 +33,6 @@ kics:
 hadolint:
   allow_failure: true
 
-# secrets job - allow failure due to gitleaks false positive on s3_key attribute
-secrets:
-  allow_failure: true
-
 # Post-deployment integration tests template
 .integration_test_template: &integration_test_template
   stage: deploy  # Runs in deploy stage, but after deployment due to 'needs'
@@ -309,6 +305,7 @@ cleanup_feature:
   needs: []
   variables:
     NAMESPACE: orch-dev-namespace
+    GIT_STRATEGY: none  # No source needed, branch may be deleted
   before_script:
     - kubectl config use-context esv/bsf/bsf-integration/orchard/orchard-mvp:orchard
   script:
diff --git a/.gitleaksignore b/.gitleaksignore
index b9dd27c..d47191d 100644
--- a/.gitleaksignore
+++ b/.gitleaksignore
@@ -1,6 +1,7 @@
 # Gitleaks ignore file
 # https://github.com/gitleaks/gitleaks#gitleaksignore
 #
-# Note: secrets job set to allow_failure in .gitlab-ci.yml
 # False positive: s3_key is an attribute name in test assertions, not a secret
-# Protected by inline # gitleaks:allow comments in test_storage.py
+# These are historical commits - files have since been deleted or updated with inline comments
+7e68baed0886a3c928644cd01aa3b39f92d4f976:backend/tests/test_duplicate_detection.py:generic-api-key:154
+2f1891cf0126ec0e7d4c789d872a2cb2dd3a1745:backend/tests/unit/test_storage.py:generic-api-key:381