Add gitleaks config to allowlist test files

Ignores backend/tests/*.py across all git history to avoid false positives on variable names like 's3_key' in test assertions.
Add gitleaks fingerprint for test file false positive
2026-01-23 22:04:36 +00:00 · 2026-01-23 21:58:59 +00:00 · 2026-01-23 15:50:24 -06:00 · 2026-01-23 15:50:24 -06:00 · 2026-01-23 13:00:51 -06:00 · 2026-01-23 10:46:20 -07:00
4 changed files with 103 additions and 28 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -36,9 +36,68 @@ stages:
  - analyze
  - deploy

+# Override Prosper template jobs to exclude tag pipelines
+# Tags only run deploy_prod and smoke_test_prod (image already built on main)
+build_image:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+test_image:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+hadolint:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
 kics:
  variables:
    KICS_CONFIG: kics.config
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+secrets:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+app_deps_scan:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+cve_scan:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+app_sbom_analysis:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+cve_sbom_analysis:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+# Override release job to wait for stage integration tests before creating tag
+# This ensures the tag (which triggers prod deploy) is only created after stage passes
+release:
+  needs: [integration_test_stage, changelog]

 # Full integration test suite template (for feature/stage deployments)
 # Runs the complete pytest integration test suite against the deployed environment
@@ -269,6 +328,10 @@ python_unit_tests:
        coverage_format: cobertura
        path: backend/coverage.xml
  coverage: '/TOTAL.*\s+(\d+%)/'
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success

 # Run frontend tests
 frontend_tests:
@@ -298,6 +361,10 @@ frontend_tests:
        coverage_format: cobertura
        path: frontend/coverage/cobertura-coverage.xml
  coverage: '/All files[^|]*\|[^|]*\s+([\d\.]+)/'
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success

 # Shared deploy configuration
 .deploy_template: &deploy_template
@@ -425,12 +492,11 @@ cleanup_feature:
 # Deploy to production (version tags only)
 deploy_prod:
  stage: deploy
-  # For tag pipelines, most jobs don't run (trusting main was tested)
-  # We only need build_image to have the image available
-  needs: [build_image]
+  # For tag pipelines, no other jobs run - image was already built when commit was on main
+  needs: []
  image: deps.global.bsf.tools/registry-1.docker.io/alpine/k8s:1.29.12
  variables:
-    NAMESPACE: orch-prod-namespace
+    NAMESPACE: orch-namespace
    VALUES_FILE: helm/orchard/values-prod.yaml
    BASE_URL: $PROD_URL
  before_script:
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -0,0 +1,8 @@
+# Gitleaks configuration
+# https://github.com/gitleaks/gitleaks#configuration
+
+[allowlist]
+# Test files that contain variable names matching secret patterns (e.g., s3_key)
+paths = [
+  '''backend/tests/.*\.py''',
+]
--- a/.gitleaksignore
+++ b/.gitleaksignore
@@ -16,3 +16,4 @@ bccbc71c13570d14b8b26a11335c45f102fe3072:backend/tests/unit/test_storage.py:gene
 08dce6cbb836b687002751fed4159bfc2da61f8b:backend/tests/unit/test_storage.py:generic-api-key:381
 617bcbe89cff9a009d77e4f1f1864efed1820e63:backend/tests/unit/test_storage.py:generic-api-key:381
 1cbd33544388e0fe6db752fa8886fab33cf9ce7c:backend/tests/unit/test_storage.py:generic-api-key:381
+7cfad28f678f5a5b8b927d694a17b9ba446b7138:backend/tests/unit/test_storage.py:generic-api-key:381
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

 ## [Unreleased]
+### Changed
+- Simplified tag pipeline to only run deploy and smoke tests (image already built on main) (#54)
+
+### Fixed
+- Fixed production CI deployment namespace to use correct `orch-namespace` (#54)
+- Added gitleaks config to allowlist test files from secret scanning (#54)
+
+## [0.5.0] - 2026-01-23
 ### Added
 - Added factory reset endpoint `POST /api/v1/admin/factory-reset` for test environment cleanup (#54)
  - Requires admin authentication and `X-Confirm-Reset: yes-delete-all-data` header
@@ -15,30 +23,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added AWS Secrets Manager CSI driver support for database credentials (#54)
 - Added SecretProviderClass template for Secrets Manager integration (#54)
 - Added IRSA service account annotations for prod and stage environments (#54)
-
-### Changed
- Configured stage and prod to use AWS RDS instead of PostgreSQL subchart (#54)
- Configured stage and prod to use AWS S3 instead of MinIO subchart (#54)
- Changed prod deployment from manual to automatic on version tags (#54)
- Updated S3 client to support IRSA credentials when no explicit keys provided (#54)
- Changed prod image pullPolicy to Always (#54)
- Added proxy-body-size annotation to prod ingress for large uploads (#54)
-
-### Removed
- Disabled PostgreSQL subchart for stage and prod environments (#54)
- Disabled MinIO subchart for stage and prod environments (#54)
-
-### Fixed
- Fixed factory reset not creating default admin user after reset (#60)
-  - Admin user was only created at server startup, not after factory reset
-  - CI reset job would fail to login because admin user didn't exist
- Improved reset_stage CI job reliability (#60)
-  - Added application-level retry logic (3 attempts with 5s delay)
-  - Added job-level retry for transient failures
-  - Fixed httpx client to use proper context manager
-  - Increased timeout to 120s for reset operations
-
-### Added
 - Added comprehensive upload/download tests for size boundaries (1B to 1GB) (#38)
 - Added concurrent upload/download tests (2, 5, 10 parallel operations) (#38)
 - Added data integrity tests (binary, text, unicode, compressed content) (#38)
@@ -93,6 +77,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added internal proxy configuration for npm, pip, helm, and apt (#51)

 ### Changed
+- Configured stage and prod to use AWS RDS instead of PostgreSQL subchart (#54)
+- Configured stage and prod to use AWS S3 instead of MinIO subchart (#54)
+- Changed prod deployment from manual to automatic on version tags (#54)
+- Updated S3 client to support IRSA credentials when no explicit keys provided (#54)
+- Changed prod image pullPolicy to Always (#54)
+- Added proxy-body-size annotation to prod ingress for large uploads (#54)
 - CI integration tests now run full pytest suite (~350 tests) against deployed environment instead of 3 smoke tests
 - CI production deployment uses lightweight smoke tests only (no test data creation in prod)
 - CI pipeline improvements: shared pip cache, `interruptible` flag on test jobs, retry on integration tests
@@ -113,6 +103,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Improved pod naming: Orchard pods now named `orchard-{env}-server-*` for clarity (#51)

 ### Fixed
+- Fixed factory reset not creating default admin user after reset (#60)
+- Admin user was only created at server startup, not after factory reset
+- CI reset job would fail to login because admin user didn't exist
+- Improved reset_stage CI job reliability (#60)
+- Added application-level retry logic (3 attempts with 5s delay)
+- Added job-level retry for transient failures
+- Fixed httpx client to use proper context manager
+- Increased timeout to 120s for reset operations
 - Fixed CI integration test rate limiting: added configurable `ORCHARD_LOGIN_RATE_LIMIT` env var, relaxed to 1000/minute for dev/stage
 - Fixed duplicate `TestSecurityEdgeCases` class definition in test_auth_api.py
 - Fixed integration tests auth: session-scoped client, configurable credentials via env vars, fail-fast on auth errors
@@ -133,6 +131,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ### Removed
 - Removed unused `store_streaming()` method from storage.py (#51)
+- Disabled PostgreSQL subchart for stage and prod environments (#54)
+- Disabled MinIO subchart for stage and prod environments (#54)

 ## [0.4.0] - 2026-01-12
 ### Added
Author	SHA1	Message	Date
Mondo Diaz	a45f540895	Add gitleaks config to allowlist test files Ignores backend/tests/*.py across all git history to avoid false positives on variable names like 's3_key' in test assertions.	2026-01-23 22:04:36 +00:00
Mondo Diaz	bbb4e09a33	Add gitleaks fingerprint for test file false positive	2026-01-23 21:58:59 +00:00
Mondo Diaz	3a807870a3	Merge branch 'fix/ci-prod-namespace' into 'main' Fix production CI deployment and simplify tag pipeline See merge request esv/bsf/bsf-integration/orchard/orchard-mvp!41	2026-01-23 15:50:24 -06:00
Mondo Diaz	f966fde7df	Fix production CI deployment and simplify tag pipeline	2026-01-23 15:50:24 -06:00
Mondo Diaz	133d9cbfd6	Merge branch 'bump_version' into 'main' add changelog entry to cut a new release See merge request esv/bsf/bsf-integration/orchard/orchard-mvp!40	2026-01-23 13:00:51 -06:00
Dane Moss	276b4f2743	add changelog entry to cut a new release	2026-01-23 10:46:20 -07:00