ci: scope brand-leak lint to source dirs only

Lint flagged false positives on audit reports + CHANGELOG that
self-reference forbidden strings as findings. Restrict scan to
kickstart/, overlay/, scripts/, assets/, build/ — actual ship state.

.github/workflows/lint.yml

@@ -34,27 +34,26 @@ jobs:
       - name: Grep for leaks
         run: |
           set -e
-          # Allow audit greps that explicitly check for the patterns
+          # Scope: ship-state source dirs only. Audit reports, CHANGELOG,
+          # PR templates, test checklists, and the lint workflow itself
+          # legitimately quote the forbidden strings as findings/examples
+          # — they don't ship in the ISO, so they're out of scope.
           MATCHES=$(grep -rIni \
             -e 'onyx' \
             -e '192\.168\.0\.' \
             -e 'fedora\.local' \
             -e 'xynki\.dev' \
-            --exclude-dir=.git \
+            kickstart/ overlay/ scripts/ assets/ build/ \
-            --exclude='*.md' \
+            || true)
-            . || true)
 
-          # Filter out self-referencing leak-detection grep patterns + audit text.
+          # Filter self-referencing sanity-grep lines: the kickstart and
-          # Lines that contain the bash escaped grep pattern (onyx\|192\.168) are
+          # post-install scripts run their own brand-leak scan against the
-          # the leak detectors themselves, not leaks.
+          # installed /etc — those grep invocations literally contain the
+          # forbidden strings as patterns, not as leaked data.
           LEAKS=$(echo "$MATCHES" | grep -v \
-            -e 'should not contain' \
+            -e "grep .*'onyx" \
-            -e 'returns zero' \
+            -e '# Sanity:' \
-            -e 'audit grep' \
+            -e 'brand leak' \
-            -e "'onyx\\\\\\\\\\\\|" \
-            -e 'onyx\\|' \
-            -e "name:.*onyx leaks" \
-            -e "-e 'onyx'" \
             || true)
 
           if [[ -n "$LEAKS" ]]; then