diff --git a/README.md b/README.md index 73cba95..d77c6c2 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ inherit configs and policies via the mechanisms below. | Biome config | Each repo carries a copy of `biome.jsonc` scaffolded from this repo; Renovate keeps it in sync | | markdownlint config | Each repo carries a copy of `.markdownlint-cli2.yaml` from this repo; sync TBD (manual for now) | | Pre-commit hooks (shared) | `precommit/` — Nix flake import or static YAML copy; see [`precommit/README.md`](precommit/README.md) | +| Default `.gitignore` | Each repo appends `configs/gitignore` into its `.gitignore` at scaffold; secrets + AI-local-state baseline; sync TBD (manual for now) | | AI assistant policy | `CLAUDE.md` — read by Claude Code on every session | ## Usage @@ -34,6 +35,8 @@ For a new TS-based dryvist repo, copy the canonical configs from this repo: gh api repos/dryvist/.github/contents/biome.jsonc -H "Accept: application/vnd.github.raw" > biome.jsonc gh api repos/dryvist/.github/contents/.markdownlint-cli2.yaml -H "Accept: application/vnd.github.raw" > .markdownlint-cli2.yaml gh api repos/dryvist/.github/contents/renovate.json -H "Accept: application/vnd.github.raw" > renovate.json +# Default .gitignore baseline (secrets + AI local state) — append, then de-dupe: +gh api repos/dryvist/.github/contents/configs/gitignore -H "Accept: application/vnd.github.raw" >> .gitignore ``` If the repo is a Cribl pack, scaffold from @@ -105,6 +108,7 @@ This repo exposes the following inheritance surfaces: | `zizmor.yml` | Org-wide zizmor workflow-security policy (referenced by the pre-commit `zizmor` hook) | | `.github/workflows/_*.yml` | Reusable CI workflows, consumed via `uses: dryvist/.github/.github/workflows/@main` | | `configs/` | Shared configs the reusable workflows fetch at runtime (e.g. `_markdown-lint`'s org-default fallback) | +| `configs/gitignore` | Org-default `.gitignore` baseline (secrets, credentials, TF state, AI-assistant local state); appended per repo at scaffold | | `scripts/` | Shell helpers the reusable workflows sparse-checkout (`ci-gate-watchdog.sh`, `run-pip-audit.sh`) | | `osv-scanner.toml` | Org-wide OSV ignore list inherited via `_osv-scan.yml` (a repo-local copy takes precedence) | | `SECURITY.md` | Org-wide vulnerability reporting policy (auto-applied to every dryvist repo's Security tab) | diff --git a/configs/gitignore b/configs/gitignore new file mode 100644 index 0000000..870fcd9 --- /dev/null +++ b/configs/gitignore @@ -0,0 +1,153 @@ +# dryvist org-default .gitignore +# +# Canonical baseline focused on NEVER committing secrets, credentials, or +# AI-assistant local/machine state. Copy into a repo's `.gitignore` at scaffold: +# +# gh api repos/dryvist/.github/contents/configs/gitignore \ +# -H "Accept: application/vnd.github.raw" >> .gitignore +# +# Append (>>) rather than overwrite so repo-specific entries are preserved, +# then de-dupe. This file is the org default; repos may add to it, but the +# secret/AI sections below should never be removed. +# +# CARVE-OUTS (intentionally NOT ignored — do not "fix"): +# - `.envrc` committed by convention (direnv `use flake`; the +# SOPS_AGE_KEY_FILE path is not a secret). +# - `*.sops.yaml/.yml` SOPS-encrypted values are ciphertext — safe to commit. +# - `.terraform.lock.hcl` the provider lock IS committed. +# - `.claude/settings.json`, `.claude/rules/`, committed skills/agents, +# `CLAUDE.md`, `AGENTS.md` project AI config — committed on purpose. + +# ── OS / editor cruft ─────────────────────────────────────────────── +.DS_Store +Thumbs.db +*.swp +*.swo +*~ +.idea/ +.vscode/ + +# ── direnv / Nix local state ──────────────────────────────────────── +.direnv/ +.envrc.local +.envrc.cache +result +result-* + +# ── Language caches ───────────────────────────────────────────────── +__pycache__/ +*.py[cod] +.venv/ +venv/ +.pytest_cache/ +.mypy_cache/ +.ruff_cache/ +node_modules/ + +# ── Logs / temp ───────────────────────────────────────────────────── +*.log +*.tmp +*.bak + +# ════════════════════════════════════════════════════════════════════ +# SECRETS & CREDENTIALS — never commit +# ════════════════════════════════════════════════════════════════════ + +# Environment files (keep committed examples) +.env +.env.* +.env.local +.env.*.local +!.env.example +!.env.*.example + +# Private keys & certificates +*.pem +*.key +*.p12 +*.pfx +*.ppk +id_rsa +id_rsa* +id_ed25519 +id_ed25519* +# Public keys are safe to commit — re-include them +!*.pub + +# SOPS / age private keys (NOTE: *.sops.* ciphertext is safe and stays committed) +*.age +keys.txt + +# Ansible Vault +*.vault +vault.yml +vault.yaml +.vault_pass +.vault_password +.vault-pass* +.vault-password* + +# Generic secret material +secrets.yml +secrets.yaml +*.secrets.yml +*.secrets.yaml +secrets.dec.yaml +secrets.plain.yaml +*credentials* +aws-credentials +SECRETS_SETUP.md + +# Cloud provider credentials +.aws/ +.azure/ +gcloud-credentials.json +kubeconfig +*.kubeconfig + +# Doppler secrets fallback cache (encrypted snapshot of the WHOLE config) + setup +doppler.json +.doppler/ +.doppler.yaml + +# ── Terraform / OpenTofu (state & tfvars are secret-bearing) ───────── +# NOTE: .terraform.lock.hcl is committed — it is intentionally absent here. +.terraform/ +.terraformrc +*.tfstate +*.tfstate.* +*.tfstate.backup +*.tfplan +crash.log +crash.*.log +terragrunt-debug.tfvars.json +*.tfvars +*.tfvars.json +!*.tfvars.example + +# ════════════════════════════════════════════════════════════════════ +# AI ASSISTANT — local/machine state & per-user instruction files +# (committed project config above is intentionally NOT ignored) +# ════════════════════════════════════════════════════════════════════ + +# Claude Code machine-local state +.claude/settings.local.json +.claude/.credentials.json +.claude/projects/ +.claude/shell-snapshots/ +.claude/statsig/ +.claude/todos/ +.claude/local/ +.claude/worktrees/ +.claude-wt/ +.claude/skills/retrospecting/reports/ + +# Per-user (never-committed) instruction overlays — symlinked per machine +CLAUDE.local.md +.CLAUDE.local.md +GEMINI.local.md +AGENTS.local.md + +# Other AI tools' local history / caches +.aider* +.specstory/