Merge pull request #783 from kachick/bot-update-flake-lock

Bump flake.lock and related dependencies - including gitleaks v8.18.3 added false positive with the `facebook-page-access-token`

.github/workflows/gitleaks.yml

@@ -12,3 +12,11 @@ jobs:
       - uses: gitleaks/gitleaks-action@44c470ffc35caa8b1eb3e8012ca53c2f9bea4eb5 # v2.3.6
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Without this env uses hardcoded old version.
+          # https://github.com/gitleaks/gitleaks-action/blob/2ec8b9f617b48c888d0653fb5925820e0de9c674/README.md?plain=1#L59C4-L59C20
+          GITLEAKS_VERSION: 'latest'
+          # action README says it will respect `gitleaks.toml`, however ths CLI respects only `.gitleaks.toml`
+          # I don't know which is correct or just a typo, so clarifying the path here
+          # https://github.com/gitleaks/gitleaks/blob/e93a7c0d2604fd1bcc43ac9cac6144a62387a8a4/cmd/root.go#L33C18-L33C27
+          # https://github.com/gitleaks/gitleaks-action/blob/2ec8b9f617b48c888d0653fb5925820e0de9c674/README.md?plain=1#L56
+          GITLEAKS_CONFIG: '.gitleaks.toml'

.gitleaks.toml

@@ -0,0 +1,14 @@
+[extend]
+# useDefault will extend the base configuration with the default gitleaks config:
+# https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml
+useDefault = true
+
+[allowlist]
+stopwords = [
+  # This pattern was detected in `facebook-page-access-token`, but I believe this is a false positive.
+  # See GH-783 for detail
+  # https://github.com/kachick/dotfiles/pull/783#issuecomment-2345176253
+  # https://gist.github.com/cocopon/a04be63f5e0856daa594702299c13160#file-iceberg-terminal-L170
+  # https://github.com/gitleaks/gitleaks/pull/1372
+  '''EAAC2z2Rlc2MAAAAAAAAAFklFQyBodHRwOi8vd3d3LmllYy5j''',
+]