From e1c0702d3c4b9fa2359ecf01bfb3895cc213d1a9 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Fri, 6 Mar 2026 08:28:28 -0800
Subject: [PATCH] v1.86.0

---
 .github/workflows/ci.yml                      |  3 +++
 AGENTS.md                                     |  6 +----
 Makefile                                      | 22 +++++++++----------
 .../kingfisher-rules/data/rules/branchio.yml  |  2 +-
 4 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c557cf8..ca9d663 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 env:
   VCPKG_ROOT: C:\vcpkg
   VCPKG_DOWNLOADS: C:\vcpkg\downloads
diff --git a/AGENTS.md b/AGENTS.md
index 8342684..ed8a73b 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -18,10 +18,6 @@ Key capabilities:
 - Applies to the entire repository rooted at this file.
 - If a deeper `AGENTS.md` exists in a subdirectory, that file takes precedence for its subtree.
 
-## Project Overview
-- Project: `kingfisher` (Rust)
-- Purpose: secret detection, live validation, and remediation tooling
-- Primary binary: `kingfisher`
 
 ## Repository Structure
 - `src/`: main binary source
@@ -102,7 +98,7 @@ Key capabilities:
 Use this when creating or updating rules in `crates/kingfisher-rules/data/rules/`.
 
 1. Pick a nearby reference rule file in the same provider family and copy its structure.
-2. Define a stable rule id (`id`, prefixed with `kingisher.` and detection regex (`pattern`) under `rules:`.
+2. Define a stable rule id (`id`, prefixed with `kingfisher.` and detection regex (`pattern`) under `rules:`.
 3. Include `examples` that must match. These can be tested with `cargo test check_rules` or `kingfisher rules check --rules-path crates/kingfisher-rules/data/rules/slack.yml --load-builtins=false --no-update-check`
 4. Set guardrails:
    - `min_entropy` for high-entropy tokens.
diff --git a/Makefile b/Makefile
index a82c94e..39e8a5f 100644
--- a/Makefile
+++ b/Makefile
@@ -421,18 +421,16 @@ endif
 	      export PATH=/clangarm64/bin:$$PATH; \
 	      ;; \
 	  esac; \
-	  command -v mingw32-make >/dev/null 2>&1 || { \
-	    echo "Installing ARM64 MinGW/clang dependencies..."; \
-	    pacman --noconfirm --needed -S \
-	      mingw-w64-clang-aarch64-toolchain \
-	      mingw-w64-clang-aarch64-cmake \
-	      mingw-w64-clang-aarch64-boost \
-	      mingw-w64-clang-aarch64-pkgconf \
-	      mingw-w64-clang-aarch64-ragel \
-	      mingw-w64-clang-aarch64-pcre2 \
-	      mingw-w64-clang-aarch64-python \
-	      git make; \
-	  }; \
+	  echo "Ensuring ARM64 MinGW/clang dependencies are installed..."; \
+	  pacman --noconfirm --needed -S \
+	    mingw-w64-clang-aarch64-toolchain \
+	    mingw-w64-clang-aarch64-cmake \
+	    mingw-w64-clang-aarch64-boost \
+	    mingw-w64-clang-aarch64-pkgconf \
+	    mingw-w64-clang-aarch64-ragel \
+	    mingw-w64-clang-aarch64-pcre2 \
+	    mingw-w64-clang-aarch64-python \
+	    git make; \
 	  repo_root="$$(pwd)"; \
 	  test -d /tmp/vectorscan-arm64 || git clone --depth 1 --branch vectorscan/5.4.11 https://github.com/VectorCamp/vectorscan.git /tmp/vectorscan-arm64; \
 	  mkdir -p /tmp/vectorscan-arm64/build; \
diff --git a/crates/kingfisher-rules/data/rules/branchio.yml b/crates/kingfisher-rules/data/rules/branchio.yml
index 37319be..d74e631 100644
--- a/crates/kingfisher-rules/data/rules/branchio.yml
+++ b/crates/kingfisher-rules/data/rules/branchio.yml
@@ -55,7 +55,7 @@ rules:
       (?:BRANCH_SECRET|branch_secret|BRANCH_KEY_SECRET)
       \s* [=:] \s* ["']?
       (
-        (?P<BRANCH_SECRET>[A-Za-z0-9]{40,64})
+        ([A-Za-z0-9]{40,64})
       )
       ["']?
     confidence: medium