From 0d27f835c3057bb4043b8c26f4fa705e5e525fc5 Mon Sep 17 00:00:00 2001 From: julien Date: Fri, 8 May 2026 00:05:16 +0200 Subject: [PATCH] fix(ci): replace gitleaks-action with manual install (#50) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary `gitleaks/gitleaks-action@v2` is now paywalled for organisations — the action requires a `GITLEAKS_LICENSE` secret from gitleaks.io (commercial) or it errors out: ​``` 🛑 missing gitleaks license. Go grab one at gitleaks.io and store it as a GitHub Secret named GITLEAKS_LICENSE. ​``` Worse, on Gitea it cannot reliably detect personal-vs-org accounts (different API contract), so it defaults to license enforcement and the scan always fails. The **gitleaks binary itself stays MIT-licensed and free** — only the wrapper went commercial. Mirror the pattern from #45 (Trivy): drop the wrapper, install the binary directly via curl + tar, run the CLI. ## Scope of the PR The same two broken integrations existed in `.gitea/workflows/security-scheduled.yml` and would have failed silently at next Monday's cron. Fix both files in one PR for consistency. - **`ci.yml`** — gitleaks step replaced. Per-PR scan uses `--no-git --source .` (working tree only — the scan job uses a shallow checkout anyway). - **`security-scheduled.yml`** — both gitleaks AND trivy steps replaced; `fetch-depth: 0` added so gitleaks can do its **deep history scan** here (the value-add of the scheduled job over the per-PR gate); `cache: 'pnpm'` dropped from `actions/setup-node` (consistency with #8 — the act_runner cache server is unreachable from job containers). - `--redact` on both gitleaks invocations so any matched secret is masked in the CI log itself (avoids re-leaking via log artefacts). ## Trade-off Like Trivy, gitleaks version is now manually pinned. Same comment in the workflow points to releases for bumps. ## Test plan - [ ] `scan` job goes green end-to-end on this PR (audit ✓, Trivy ✓, gitleaks ✓). - [ ] `gitleaks version` line in the install step's logs shows `8.21.0`. - [ ] On `push` to main post-merge, scan stays green. - [ ] Trigger `security-scheduled` manually (Actions → Run workflow) to verify the deep-history scan path before next Monday's cron fires. --------- Co-authored-by: Julien Gautier Reviewed-on: https://git.unespace.com/julien/apf_portal/pulls/50 --- .gitea/workflows/ci.yml | 36 +++++++++++++++-- .gitea/workflows/security-scheduled.yml | 53 ++++++++++++++++++++----- 2 files changed, 77 insertions(+), 12 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 9c34ece..6bdcac4 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -116,10 +116,40 @@ jobs: --exit-code 1 \ --severity CRITICAL,HIGH \ . - # Secret scan, same reasoning (gitleaks is a Go binary). - - uses: gitleaks/gitleaks-action@v2 + # Secret scan. Same install pattern as Trivy: gitleaks is a Go + # binary, and the official `gitleaks/gitleaks-action@v2` wrapper + # is now paywalled for organisations (a GITLEAKS_LICENSE secret + # from gitleaks.io is required, otherwise the action errors out + # with `🛑 missing gitleaks license`). The binary itself stays + # MIT-licensed and free — installing it directly bypasses the + # wrapper and gives us version pinning for free. + - name: Install gitleaks env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Bump deliberately. Same caveat as TRIVY_VERSION above — + # not Renovate-tracked out of the box. Releases: + # https://github.com/gitleaks/gitleaks/releases. + GITLEAKS_VERSION: '8.21.0' + GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }} + run: | + curl -sfL \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + -o /tmp/gitleaks.tar.gz \ + "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" + tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks + gitleaks version + - name: Run gitleaks + # `--no-git --source .` scans the working tree only. The scan + # job uses a shallow checkout, so a git-history scan would not + # see beyond HEAD anyway; the weekly security-scheduled + # workflow does the deep history scan with a full clone. + # `--redact` masks any matched secret in the log output so we + # do not leak it via the CI logs themselves. + run: | + gitleaks detect \ + --no-git \ + --source . \ + --redact \ + --exit-code 1 commits: # PRs opened by Renovate (apf-portal-bot) carry commit messages diff --git a/.gitea/workflows/security-scheduled.yml b/.gitea/workflows/security-scheduled.yml index 30760b2..703313f 100644 --- a/.gitea/workflows/security-scheduled.yml +++ b/.gitea/workflows/security-scheduled.yml @@ -15,24 +15,60 @@ jobs: full-tree-scan: runs-on: [self-hosted, on-prem] steps: + # fetch-depth: 0 → full history. The per-PR gitleaks scan is + # shallow + working-tree-only; this scheduled job is where we + # do the deep history scan that catches secrets ever committed + # (and not just what's currently checked in). - uses: actions/checkout@v6 + with: + fetch-depth: 0 - uses: pnpm/action-setup@v6 - uses: actions/setup-node@v6 with: node-version-file: '.nvmrc' - cache: 'pnpm' - run: pnpm install --frozen-lockfile - run: pnpm audit # Full-tree Trivy (no skip-dirs, no severity filter — the per-PR # gate filters by severity for speed; this run wants the full - # surface for the security feed). - - uses: aquasecurity/trivy-action@master - with: - scan-type: fs - ignore-unfixed: true - - uses: gitleaks/gitleaks-action@v2 + # surface for the security feed). Manual install + curl, same + # pattern as ci.yml — see the rationale there. + - name: Install Trivy env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TRIVY_VERSION: '0.70.0' + GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }} + run: | + curl -sfL \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + -o /tmp/trivy.tar.gz \ + "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" + tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy + trivy --version + - name: Run Trivy + run: | + trivy fs \ + --scanners vuln \ + --ignore-unfixed \ + . + # Deep gitleaks scan (full git history). Same install pattern as + # ci.yml. `--redact` masks any matched secret in the log so we + # don't leak it via CI logs themselves. + - name: Install gitleaks + env: + GITLEAKS_VERSION: '8.21.0' + GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }} + run: | + curl -sfL \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + -o /tmp/gitleaks.tar.gz \ + "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" + tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks + gitleaks version + - name: Run gitleaks (full history) + run: | + gitleaks detect \ + --source . \ + --redact \ + --exit-code 1 lighthouse-prod: # Skipped silently if the prod URL hasn't been configured yet. @@ -44,7 +80,6 @@ jobs: - uses: actions/setup-node@v6 with: node-version-file: '.nvmrc' - cache: 'pnpm' - run: pnpm install --frozen-lockfile - run: pnpm exec lhci collect --url=${{ vars.LHCI_PROD_URL }} --numberOfRuns=3 - run: pnpm exec lhci assert --config=./lighthouserc.js