Started by GitHub push by ti-chi-bot[bot]Started by GitHub push by ti-chi-bot[bot]00169671696742960429601.022247222470652075278527816420ab9f0dffb6e3d52a2fe89bdb003d4ce810256c40ab9f0dffb6e3d52a2fe89bdb003d4ce810256c4origin/main0ab9f0dffb6e3d52a2fe89bdb003d4ce810256c40ab9f0dffb6e3d52a2fe89bdb003d4ce810256c4origin/main0ab9f0dffb6e3d52a2fe89bdb003d4ce810256c40ab9f0dffb6e3d52a2fe89bdb003d4ce810256c4origin/mainhttps://github.com/PingCAP-QE/ci.githttps://do.pingcap.net/jenkins/blue/organizations/jenkins/seed/detail/seed/1642/artifactshttps://do.pingcap.net/jenkins/blue/organizations/jenkins/seed/detail/seed/1642/changeshttps://do.pingcap.net/jenkins/blue/organizations/jenkins/seed/detail/seed/1642/https://do.pingcap.net/jenkins/blue/organizations/jenkins/seed/detail/seed/1642/testsfalse#16424296043847seed #16421642falsefalse16423672703SUCCESS1776819896735https://do.pingcap.net/jenkins/job/seed/1642/default-mnw4x- .ci/verify-secret-scan.shprow-jobs/pingcap-qe/ci/presubmits.yaml.ci/verify-jenkins-credential-policy.shdocs/guides/CI.md0ab9f0dffb6e3d52a2fe89bdb003d4ce810256c41776819870000https://do.pingcap.net/jenkins/user/noreplynoreplynoreply@github.comci(prow): focus secret gate on Jenkins credential misuse risks (#4541)
## Summary
- narrow `pull-verify-secret-scan` trigger scope to Jenkins
credential-risk files only (`pipelines/jobs/libraries/prow-jobs`)
- switch gitleaks from whole-repo scan to incremental commit-range scan
(`PULL_BASE_SHA..PULL_PULL_SHA`)
- add `.ci/verify-jenkins-credential-policy.sh` to block high-risk
credential misuse patterns in changed Groovy/YAML files
## Why
Continue FLA-109 remaining scope based on Architect TDS v1.1: focus on
credential misuse/abuse risk in Jenkins task surface and reduce
duplicated broad scanning.
## Test
- `bash -n .ci/verify-secret-scan.sh`
- `bash -n .ci/verify-jenkins-credential-policy.sh`
- `PULL_BASE_SHA=$(git merge-base HEAD origin/main) PULL_PULL_SHA=HEAD
.ci/verify-jenkins-credential-policy.sh`
2026-04-22 01:04:30 +00000ab9f0dffb6e3d52a2fe89bdb003d4ce810256c4ci(prow): focus secret gate on Jenkins credential misuse risks (#4541)add.ci/verify-jenkins-credential-policy.sheditprow-jobs/pingcap-qe/ci/presubmits.yamleditdocs/guides/CI.mdedit.ci/verify-secret-scan.sh
githttps://do.pingcap.net/jenkins/user/noreplynoreplynoreply