ci: sync gitleaks allowlist

.gitea/workflows/ci.yml

@@ -1,5 +1,5 @@
 ---
-# ci-sync: 2026-05-30T01:29:46Z
+# ci-sync: 2026-05-30T02:31:17Z
 # Homelab CI — Python lane (git-ci-01) + secret scan (git-ci-02)
 # Skip: @skipci in branch name or commit message
 name: CI
@@ -76,5 +76,9 @@ jobs:
           fetch-depth: 0
       - name: Gitleaks
         run: |
+          extra=""
+          if [ -f .gitleaks.toml ]; then
+            extra="--config /repo/.gitleaks.toml"
+          fi
           docker run --rm -v "$PWD:/repo" ghcr.io/gitleaks/gitleaks:latest \
-            detect --source /repo --no-banner --redact
+            detect --source /repo --no-banner --redact ${extra}

.gitleaks.toml

@@ -0,0 +1,19 @@
+# Homelab bootstrap — gitleaks allowlist (tests, examples, placeholders)
+title = "homelab gitea bootstrap"
+
+[allowlist]
+description = "Test fixtures and example configs are not production secrets"
+paths = [
+  '''(?i).*\.test\.(ts|tsx|js|jsx|py)$''',
+  '''(?i).*\.spec\.(ts|tsx|js|jsx)$''',
+  '''(?i).*/tests/.*''',
+  '''(?i).*/__tests__/.*''',
+  '''(?i).*\.example\.(yml|yaml|env|json|toml)$''',
+  '''(?i).*vault\.example\.(yml|yaml)$''',
+  '''(?i).*\.env\.example$''',
+]
+regexes = [
+  '''(?i)(invalid|fake|dummy|placeholder|example|changeme|change_me|not-a-real)''',
+  '''(?i)sk-or-invalid''',
+  '''(?i)msk-or-invalid''',
+]