From 796c6ced28ac14c4d5cb891fb9e0293d9f30f3dd Mon Sep 17 00:00:00 2001
From: user <user@rpios.local>
Date: Sun, 15 Feb 2026 00:14:05 +0100
Subject: [PATCH] fix: Exclude known NVS key names from secret detection

The strings check was matching 'auth_secret' (NVS key) and
'secret=%s' (printf format) as false positives. Filter out
known firmware patterns.
---
 .gitea/workflows/lint.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml
index c119440..4b115fe 100644
--- a/.gitea/workflows/lint.yml
+++ b/.gitea/workflows/lint.yml
@@ -73,7 +73,8 @@ jobs:
           CFG="get-started/csi_recv_router/sdkconfig"
 
           echo "=== Checking for hardcoded secrets ==="
-          if strings "$BIN" | grep -iqE '(password|secret|api_key|apikey)=[^$]'; then
+          if strings "$BIN" | grep -iE '(password|secret|api_key|apikey)=' \
+             | grep -ivE '(auth_secret|secret=%s|secret=\$)'; then
             echo "::error::Potential hardcoded secret found in binary"
             exit 1
           fi