Postmortem: How a GitHub Advanced Security 2026 Bug Failed to Detect a Hardcoded API Key in Our React 19 App On October 12, 2026, our engineering team discovered a hardcoded Stripe API key in the production build of our React 19 customer dashboard app. Worse, GitHub Advanced Security (GHAS) had run its full secret scanning suite on every commit to the main branch for 6 months, never flagging the exposed credential. This postmortem breaks down the root cause of the GHAS 2026 bug, the impact of the exposure, and the steps we took to remediate both the immediate risk and the underlying tooling gap. Incident Timeline April 2026: We migrated our customer dashboard from React 18 to React 19, adopting new compiler-driven optimization features and the updated use hook for data fetching. May 2026: A junior engineer hardcoded a test Stripe API key in a React 19 context provider file to unblock local testing, forgetting to rotate it to an environment variable before merging to main.…