Yesterday I told myself: "Just 30 minutes. Add gitleaks as a pre-commit hook across all four projects so I never leak a secret again."
Six hours later, I had four merged PRs, four updated production CIs, two new memory notes, one deleted workflow file, and a much smaller ego.
Here's what the hook actually exposed.
1. OriginBrief was using pnpm. The CI was running npm install.
The first project went smoothly until Vercel's preview deploy failed with ERR_PNPM_OUTDATED_LOCKFILE. Turns out my CI had been quietly running the wrong package manager for who knows how long. It worked because the lockfile happened to be compatible — until I added one new dependency.
The fix took five commits. The lesson took one minute.
2. StandupFlow's README had merge conflict markers from day 1.
<<<<<<< HEAD. Right there at line 1. For 35 days.
It got merged on March 28 with the conflict markers still in the file. The commit was titled "feat: initial project setup Phase 1&2." I never opened the README again after that.
GitHub had been rendering broken Markdown to anyone who visited the repo for over a month, and I was too busy adding features to notice the front door was missing.
(Mercifully, the repo is private — so the broken front door was only on display to me. Small relief, given everything else this hook uncovered.)
3. QuietLog had zero GitHub Actions Secrets.
$ gh secret list
no secrets found
Zero. Not "wrong values." Not "expired." Zero rows in the table.
The Build job in CI had been failing for months — but it was hidden behind an even older Security Audit failure, so the secret-related error never surfaced. One stack of failures was masking another.
4. QuietLog's Stripe publishable key was empty in Vercel.
After fixing the secrets, I ran vercel env pull to copy the values from production. The Stripe key came back as exactly two characters: "".
QuietLog hasn't launched yet. Every plan on the pricing page reads "Coming Soon," and the path to Checkout is intentionally disabled. So right now, in this exact moment, the empty publishable key hurts nobody — until the day I flip "Coming Soon" to "Subscribe."
On launch day, the first user to click that button would have sent an empty string to Stripe and bounced back with a 500. Probably the most enthusiastic user, first.
Zero users isn't a safety net. Zero users is just a blindfold over the bug.
5. A redundant deploy.yml had been failing forever.
A separate Deploy workflow tried to push to Vercel using VERCEL_TOKEN — which was also never set. But Vercel's Git Integration had been auto-deploying on every push the entire time, so the project was live and updating despite a broken workflow that nobody read.
I deleted the file. The site kept deploying. It had been pure noise.
6. The long-running CI Security Audit was hiding a real RCE.
Once I cleaned up the rest, the actual npm audit finally ran. It pointed at serialize-javascript — a transitive dependency through @ducanh2912/next-pwa → workbox-build → @rollup/plugin-terser — with a known RCE.
The fix was an npm overrides block, not a major upgrade. Five minutes of typing.
But it had been sitting there, unreachable, for as long as the first failure had been hiding it.
What the hook actually did
I didn't add security on May 2. I added a hook that forced every other failure to surface.
If your CI is red, you stop reading the log. If your CI has been red for months, you stop opening the page. If you stop opening the page, every new failure piles on top of the last one, invisible.
The pre-commit hook didn't fix the leaks. It made me actually look at the dashboard.
The lesson, written down so I don't forget:
Your CI is the canary. If it's been screaming for months and you've stopped hearing it, you don't have a CI — you have noise.
The 30-minute task taking 6 hours wasn't the bug. The bug was thinking it should have only taken 30 minutes.
Building four small SaaS products as a solo dev. Writing what I learn, including the parts that make me wince.
The one that's actually launched: OriginBrief — you think, we search. Continuous AI research reports on the themes you choose.
Top comments (0)