Skip staged submodule pins (gitlinks) in secret-scan.sh#25
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the shared scripts/secret-scan.sh staged scanner to avoid aborting when a staged path is a submodule gitlink (mode 160000), which cannot be materialized via git show :path and therefore should be safely skipped.
Changes:
- Add a staged-path pre-check to detect gitlinks (submodule pointers) and skip them before attempting
git show :path.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2341988ebd
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
`awk` was not among the dependencies checked at the top of the script (only
`git` and `grep` are), and `awk '{print $1}'` over the multi-stage output of an
unmerged index yields multiple lines, so `[ "..." = 160000 ]` would miss the
gitlink and re-introduce the fail-closed abort. Match the mode per-line with the
already-required `grep` instead.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
`git diff --cached` feeds repo-root-relative paths and `git show :path` resolves them from the repo root, but `git ls-files --stage -- "$path"` resolved the pathspec relative to CWD. Run from a subdirectory, the lookup returned no mode, the gitlink was not skipped, and `git show :config` exited 3 again — the very failure this guard removes. Run the lookup with `-C "$repo_root"`, matching the worktree/tracked-modified modes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Problem
The shared
pre-commithook runssecret-scan.sh staged, which loops over everystaged path and runs
git show :<path>to materialize and scan its content. When asubmodule pin is staged, that path is a gitlink (mode
160000) in the index —a commit SHA, not a file blob — so
git show :<path>fails. Because the scanner isdeliberately fail-closed, an unreadable "blob" makes it abort:
…which blocks the commit entirely.
Why it surfaced now
It only bites when a submodule pin changes and gets staged. In
gcloud-jvm, theSessionStartconfig-float moved theconfigpin (904c1603→a95c42a9), andIntelliJ's
git add -Astaged that pin change. It would recur in any Spine repowhenever a submodule pin is committed.
Fix
Skip gitlinks before the blob read in the
stagedloop:git ls-files --stagereads the mode from the index, so it works even though thesubmodule's commit object isn't present in the superproject. Genuine blobs still take
the fail-closed path unchanged — a gitlink can't carry a secret, so skipping it is safe.
Verification
bash -nparses clean.0(was exit3before the fix).2: real blobs are still scanned,so the skip doesn't open a hole.
🤖 Generated with Claude Code