fix(ci): unblock daily pipeline preflight + suppress gitleaks false positive

costajohnt · costajohnt · commit 50c1de1a3671 · 2026-04-27T19:41:51.000-07:00
Two unrelated CI failures, fixed together: 1. Daily Trading Pipeline preflight (broken since 2026-04-25) The secret-file permissions check added in a6ecfe7 requires data/trading_state.db at 0o600. The "Restore state from trading-data branch" step uses git checkout, which restores files at 0o644. Result: preflight failed every run, skipping position_manager, screener, watchlist, and momentum (each gated on steps.preflight.outcome == 'success'). 4 failed runs today; last green was 2026-04-24. Fix: chmod 600 the restored db before preflight runs. Keeps the safety check honest on local/macOS while matching reality on the ephemeral GHA runner. 2. Gitleaks scheduled scan generic-api-key (entropy 3.55) matches the literal "key:" in a Python comment in tests/test_momentum_strategy.py at commit 6eff1eb. No real secret. Allowlisted by fingerprint via .gitleaksignore since the comment lives in commit history and can't be suppressed by editing the working tree.
diff --git a/.github/workflows/daily-trading.yml b/.github/workflows/daily-trading.yml
@@ -48,6 +48,8 @@ jobs:
         run: |
           git fetch origin trading-data 2>/dev/null || true
           git checkout origin/trading-data -- data/ 2>/dev/null || echo "No prior trading data"
+          # Git restores files at 0644; preflight requires 0600 on the state DB.
+          chmod 600 data/trading_state.db 2>/dev/null || true
 
       - name: 0. Pre-flight Health Check
         id: preflight
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -0,0 +1,9 @@
+# Gitleaks fingerprint allowlist.
+# Format: <commit-sha>:<path>:<rule-id>:<line>
+# Add a fingerprint here only after manually verifying the finding is a false positive.
+
+# False positive: gitleaks generic-api-key matches the literal phrase "key:" in a
+# Python comment ("# The key: price_50d_ago must be close to price_10d_ago.").
+# No real credential. Cannot be suppressed by editing the file because the match
+# is in commit history.
+6eff1ebbe9074aa261688c52b5a2499734d2a1c1:tests/test_momentum_strategy.py:generic-api-key:147
