docs(wiki): sync from modules/ @ 556b5a72
@@ -438,6 +438,15 @@ runs on every push and blocks the merge.
|
||||
|
||||
---
|
||||
|
||||
### Gate 0: your hosted forge
|
||||
|
||||
Most hosted forges run their own secret scanner on every push and reject the push if it finds a
|
||||
recognized key pattern (GitHub calls this *push protection*; GitLab and others have equivalents).
|
||||
That happens **before** any CI you wrote runs, so it is effectively *Gate 0* in this module. The
|
||||
planted `SYNC_API_KEY` in `lab/config.py` uses a generic high-entropy value (not an issuer
|
||||
pattern) so the lab can ship; in your real repo, treat your forge's push protection as the
|
||||
earliest gate and never paper over a bypass.
|
||||
|
||||
## Where it breaks
|
||||
|
||||
The honest limits (these gates are necessary, not sufficient):
|
||||
|
||||
Reference in New Issue
Block a user