This project uses test data from bank statements to validate parsing and anonymisation functionality. We maintain strict security practices to protect user data and prevent accidental commits of sensitive information.
This repository uses two types of test PDFs:
-
Synthetic PDFs (safe to commit)
- Generated programmatically with fake data
- No real customer information
- Located in
tests/fixtures/pdfs/synthetic/ - Used in public CI/CD workflows
- Fast and deterministic
-
Anonymised PDFs (private, fetched during CI)
- Real bank statements with sensitive information removed
- Stored in private repo (
bank-statement-data) - Fetched automatically during CI testing (if SSH key available)
- Never committed to public repositories
- Automatically cleaned up after tests
- Provides real-world format validation
❌ Never commit:
- Unanonymised PDFs (with real customer names, account numbers, etc.)
- PDFs with identifiable information
- PDFs from
tests/fixtures/pdfs/good/orpdfs/bad/in public repos - Files from private
bank-statement-datarepository
✅ Safe to commit:
- Synthetic PDFs in
tests/fixtures/pdfs/synthetic/ - Test code and configuration
- Documentation
This repository includes protective measures:
-
.gitignorerules:# Block all PDFs by default *.pdf # Exception: Allow synthetic PDFs only !tests/fixtures/pdfs/synthetic/ !tests/fixtures/pdfs/synthetic/**/*.pdf
-
CI Cleanup:
- Anonymised PDFs are fetched to temporary locations (
/tmp) - Automatically cleaned up after tests complete
- Never persisted in checked-out code
- Anonymised PDFs are fetched to temporary locations (
-
Git Protection:
- Pre-commit hooks can be configured to block PDF commits
- Repository administrators review all contributions
This project uses GitHub Secrets for sensitive configuration:
SSH_PRIVATE_KEY_TEST_DATA- SSH key for cloning privatebank-statement-datarepo (CI only)- Auto-masked in logs
- Automatically deleted after use
- Only available to administrators
✅ Do:
- Use GitHub Secrets for sensitive configuration
- Rotate credentials regularly
- Review CI/CD logs for accidental exposure
❌ Never:
- Hardcode credentials in source code
- Commit
.envfiles with secrets - Share SSH private keys
- Include tokens in repository URLs
During CI testing, the workflow optionally fetches anonymised PDFs from the private repo:
- Conditional fetch: Only runs if
SSH_PRIVATE_KEY_TEST_DATAsecret is configured - Graceful fallback: Tests continue with synthetic PDFs if fetch fails
- Automatic cleanup: PDFs are deleted after tests complete
- Private logs: GitHub Actions logs are visible only to administrators
Example workflow step:
- name: Fetch anonymised PDFs for testing (graceful fallback)
continue-on-error: true
if: secrets.SSH_PRIVATE_KEY_TEST_DATA != ''
run: |
# Clone with temporary SSH key
git clone --depth 1 --filter=blob:none --sparse \
git@github.com:boscorat/bank-statement-data.git /tmp/test_pdfs
# Copy to tests/fixtures/pdfs
cp -r /tmp/test_pdfs/pdfs/* tests/fixtures/pdfs/
# Cleanup
rm -rf /tmp/test_pdfs /root/.ssh/bank_statement_deploy_key
- name: Clean up anonymised PDFs after tests (security)
if: always()
run: |
# Remove anonymised PDFs to prevent accidental commits
rm -rf tests/fixtures/pdfs/good tests/fixtures/pdfs/badGitHub Actions logs are private and visible only to repository administrators. To audit logs for security:
- Go to Actions → Select workflow run → View logs
- Check for:
- ❌ Unmasked SSH keys (should see
***) - ❌ Exposed file paths or repository URLs
- ❌ Error messages revealing sensitive data
- ❌ Unmasked SSH keys (should see
If you have access to the private bank-statement-data repository:
-
Setup local testing (optional, for contributors with access):
git clone git@github.com:boscorat/bank-statement-data.git ../bank-statement-data ln -s ../bank-statement-data/pdfs/good tests/fixtures/pdfs/anonymised_good ln -s ../bank-statement-data/pdfs/bad tests/fixtures/pdfs/anonymised_bad
-
Run tests:
# Full suite (integration tests now run with anonymised PDFs) uv run python scripts/test_runner.py all # Unit tests only (no PDFs needed) uv run python scripts/test_runner.py unit
-
Results are private - Don't commit the cloned PDFs or symlinks
If you discover parsing issues with real bank statements:
- Anonymise the statement using guidelines from private repo
- Submit via GitHub Issue with anonymised attachment
- Or create a PR to the private repo with anonymised PDF
- Project maintainers will verify and add to test suite
See the private repo's ANONYMISATION_CHECKLIST.md for anonymisation guidelines.
-
Do not push if you haven't pushed yet
-
Amend the commit:
# Remove the sensitive file git rm --cached <sensitive_file> echo "<sensitive_file>" >> .gitignore git add .gitignore git commit --amend --no-edit
-
If already pushed:
- Contact repository maintainers immediately
- Use
BFGorgit-filter-repoto remove from history - Force push is required (uses
--force)
-
For leaked credentials:
- Revoke immediately
- Rotate secrets
- Notify all maintainers
- Test data questions → See
TESTING.md - PDF anonymisation → See private repo:
bank-statement-data/ANONYMISATION_CHECKLIST.md - Security concerns → Contact maintainers directly (not via Issues)
- General contribution → See
CONTRIBUTING.md
✅ Safe practices:
- Use synthetic PDFs for testing
.gitignoreprotects against accidental commits- CI automatically cleans up anonymised PDFs
- GitHub Secrets protect credentials
❌ Never:
- Commit unanonymised PDFs
- Hardcode credentials
- Skip anonymisation when submitting real data
- Share SSH keys
🛡️ Security-first approach:
- Multi-layer protection (
.gitignore+ CI cleanup + pre-commit checks) - Audit trail and transparency
- Private repo for sensitive data
- Graceful fallback to synthetic PDFs