MQL5-Google-Onedrive/scripts/verify_secret_scanning.py

#!/usr/bin/env python3
"""
Verification script for ci_validate_repo.py secret scanning.
"""

import sys
import shutil
import subprocess
from pathlib import Path

REPO_ROOT = Path(__file__).resolve().parents[1]
CI_SCRIPT = REPO_ROOT / "scripts" / "ci_validate_repo.py"

def run_check():
    """Runs the validation script and returns returncode."""
    result = subprocess.run(
        [sys.executable, str(CI_SCRIPT)],
        cwd=REPO_ROOT,
        capture_output=True,
        text=True
    )
    return result.returncode, result.stdout, result.stderr

def test_secret_in_tracked_file():
    print("Testing secret in tracked file (should FAIL)...")
    test_file = REPO_ROOT / "scripts" / "temp_secret.py"
    # Create file with a pattern that ci_validate_repo.py detects
    # ghp_ is the prefix, then 36 chars
    # We construct it dynamically so the script itself isn't flagged
    secret = "ghp_" + "1" * 36
    test_file.write_text(f'SECRET_TOKEN = "{secret}"')

    try:
        code, out, err = run_check()
        if code != 0:
            print("PASS: Script correctly failed.")
        else:
            print("FAIL: Script passed but should have failed.")
            print("Output:", out)
            print("Error:", err)
            sys.exit(1)
    finally:
        if test_file.exists():
            test_file.unlink()

def test_secret_in_excluded_dir():
    print("Testing secret in excluded dir (should PASS)...")
    # Make sure we use a directory name that is in the excluded list of ci_validate_repo.py
    # "node_modules" is a safe bet
    excluded_root = REPO_ROOT / "node_modules"

    created_root = False
    if not excluded_root.exists():
        excluded_root.mkdir()
        created_root = True

    test_dir = excluded_root / "test_pkg"
    test_dir.mkdir(exist_ok=True)

    test_file = test_dir / "index.js"
    # Create file with a pattern that ci_validate_repo.py detects
    secret = "ghp_" + "1" * 36
    test_file.write_text(f'const token = "{secret}";')

    try:
        code, out, err = run_check()
        if code == 0:
            print("PASS: Script correctly ignored excluded directory.")
        else:
            print("FAIL: Script failed but should have passed.")
            print("Output:", out)
            print("Error:", err)
            sys.exit(1)
    finally:
        if test_file.exists():
            test_file.unlink()
        if test_dir.exists():
            test_dir.rmdir()
        if created_root and excluded_root.exists():
            excluded_root.rmdir()

if __name__ == "__main__":
    print("Running verification tests...")

    test_secret_in_tracked_file()
    test_secret_in_excluded_dir()

    print("All verification tests passed!")
feat: optimize repo validation by pruning excluded dirs Replaces `rglob` with `os.walk` using `topdown=True` in `scripts/ci_validate_repo.py`. This allows pruning large ignored directories (like `node_modules` or `.git`) before traversal, significantly reducing the number of files scanned. Performance: - Benchmarked ~2.4x faster in the current environment (0.045s -> 0.019s). - Impact scales with the size of ignored directories. Verification: - Added `scripts/verify_secret_scanning.py` to ensure secret scanning logic correctly detects secrets in tracked files and ignores them in excluded directories. 2026-02-27 05:32:13 +00:00			`#!/usr/bin/env python3`
			`"""`
			`Verification script for ci_validate_repo.py secret scanning.`
			`"""`

			`import sys`
			`import shutil`
			`import subprocess`
			`from pathlib import Path`

			`REPO_ROOT = Path(__file__).resolve().parents[1]`
			`CI_SCRIPT = REPO_ROOT / "scripts" / "ci_validate_repo.py"`

			`def run_check():`
			`"""Runs the validation script and returns returncode."""`
			`result = subprocess.run(`
			`[sys.executable, str(CI_SCRIPT)],`
			`cwd=REPO_ROOT,`
			`capture_output=True,`
			`text=True`
			`)`
			`return result.returncode, result.stdout, result.stderr`

			`def test_secret_in_tracked_file():`
			`print("Testing secret in tracked file (should FAIL)...")`
			`test_file = REPO_ROOT / "scripts" / "temp_secret.py"`
			`# Create file with a pattern that ci_validate_repo.py detects`
			`# ghp_ is the prefix, then 36 chars`
			`# We construct it dynamically so the script itself isn't flagged`
			`secret = "ghp_" + "1" * 36`
			`test_file.write_text(f'SECRET_TOKEN = "{secret}"')`

			`try:`
			`code, out, err = run_check()`
			`if code != 0:`
			`print("PASS: Script correctly failed.")`
			`else:`
			`print("FAIL: Script passed but should have failed.")`
			`print("Output:", out)`
			`print("Error:", err)`
			`sys.exit(1)`
			`finally:`
			`if test_file.exists():`
			`test_file.unlink()`

			`def test_secret_in_excluded_dir():`
			`print("Testing secret in excluded dir (should PASS)...")`
			`# Make sure we use a directory name that is in the excluded list of ci_validate_repo.py`
			`# "node_modules" is a safe bet`
			`excluded_root = REPO_ROOT / "node_modules"`

			`created_root = False`
			`if not excluded_root.exists():`
			`excluded_root.mkdir()`
			`created_root = True`

			`test_dir = excluded_root / "test_pkg"`
			`test_dir.mkdir(exist_ok=True)`

			`test_file = test_dir / "index.js"`
			`# Create file with a pattern that ci_validate_repo.py detects`
			`secret = "ghp_" + "1" * 36`
			`test_file.write_text(f'const token = "{secret}";')`

			`try:`
			`code, out, err = run_check()`
			`if code == 0:`
			`print("PASS: Script correctly ignored excluded directory.")`
			`else:`
			`print("FAIL: Script failed but should have passed.")`
			`print("Output:", out)`
			`print("Error:", err)`
			`sys.exit(1)`
			`finally:`
			`if test_file.exists():`
			`test_file.unlink()`
			`if test_dir.exists():`
			`test_dir.rmdir()`
			`if created_root and excluded_root.exists():`
			`excluded_root.rmdir()`

			`if __name__ == "__main__":`
			`print("Running verification tests...")`

			`test_secret_in_tracked_file()`
			`test_secret_in_excluded_dir()`

			`print("All verification tests passed!")`