CI mods

Mangaliso Mngomezulu · Mangaliso Mngomezulu · commit 8740cae1626d · 2026-01-06T23:30:54.000+02:00
diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
@@ -71,10 +71,9 @@ jobs:
           
           # 1) Strict scan: all tracked files except notebooks
           detect-secrets scan \
-            --exclude-files '*.ipynb' \
+            --exclude-files '*\.ipynb$' \ 
             > .secrets.strict.json
         
-
       - name: Fail if new secrets appear vs baseline
       
         run: |
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -22,7 +22,7 @@ repos:
     hooks:
     -   id: add-trailing-comma
 -   repo: https://github.com/ibm/detect-secrets.git
-    rev: 1f70358329b1f5dbe444df5c35c424b706bf8260
+    rev: 0.13.1+ibm.62.dss
     hooks:
         - id: detect-secrets # pragma: whitelist secret
         # Add options for detect-secrets-hook binary. You can run `detect-secrets-hook --help` to list out all possible options.
diff --git a/.semgrep.yaml b/.semgrep.yaml
@@ -0,0 +1,19 @@
+
+# .semgrep.yaml
+# Goal: do not fail on torch.load(..)
+
+rules:
+  
+  - id: python.deserialization.pickle
+ 
+    # 👇 Exclude torch.load from this rule so it won't be reported as ERROR:
+    pattern-not: |
+      torch.load(...)
+
+  # ---  record torch.load usage as INFO, non-blocking ---
+  - id: python.deserialization.pytorch.torch-load
+    message: "torch.load detected (accepted for trusted checkpoints). Prefer weights_only=True."
+    languages: [python]
+    severity: INFO
+    pattern: |
+     
