fix(ci): replace gitleaks-action with manual install (#50)
CI / commits (push) Has been skipped
CI / check (push) Successful in 1m59s
CI / scan (push) Failing after 2m37s
CI / a11y (push) Successful in 1m24s
CI / perf (push) Successful in 3m34s

## Summary
`gitleaks/gitleaks-action@v2` is now paywalled for organisations — the action requires a `GITLEAKS_LICENSE` secret from gitleaks.io (commercial) or it errors out:

​```
🛑 missing gitleaks license. Go grab one at gitleaks.io and store it as a GitHub Secret named GITLEAKS_LICENSE.
​```

Worse, on Gitea it cannot reliably detect personal-vs-org accounts (different API contract), so it defaults to license enforcement and the scan always fails. The **gitleaks binary itself stays MIT-licensed and free** — only the wrapper went commercial.

Mirror the pattern from #45 (Trivy): drop the wrapper, install the binary directly via curl + tar, run the CLI.

## Scope of the PR
The same two broken integrations existed in `.gitea/workflows/security-scheduled.yml` and would have failed silently at next Monday's cron. Fix both files in one PR for consistency.

- **`ci.yml`** — gitleaks step replaced. Per-PR scan uses `--no-git --source .` (working tree only — the scan job uses a shallow checkout anyway).
- **`security-scheduled.yml`** — both gitleaks AND trivy steps replaced; `fetch-depth: 0` added so gitleaks can do its **deep history scan** here (the value-add of the scheduled job over the per-PR gate); `cache: 'pnpm'` dropped from `actions/setup-node` (consistency with #8 — the act_runner cache server is unreachable from job containers).
- `--redact` on both gitleaks invocations so any matched secret is masked in the CI log itself (avoids re-leaking via log artefacts).

## Trade-off
Like Trivy, gitleaks version is now manually pinned. Same comment in the workflow points to releases for bumps.

## Test plan
- [ ] `scan` job goes green end-to-end on this PR (audit ✓, Trivy ✓, gitleaks ✓).
- [ ] `gitleaks version` line in the install step's logs shows `8.21.0`.
- [ ] On `push` to main post-merge, scan stays green.
- [ ] Trigger `security-scheduled` manually (Actions → Run workflow) to verify the deep-history scan path before next Monday's cron fires.

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #50
This commit was merged in pull request #50.
This commit is contained in:
2026-05-08 00:05:16 +02:00
parent 2cc795a9fd
commit 0d27f835c3
2 changed files with 77 additions and 12 deletions
+33 -3
View File
@@ -116,10 +116,40 @@ jobs:
--exit-code 1 \
--severity CRITICAL,HIGH \
.
# Secret scan, same reasoning (gitleaks is a Go binary).
- uses: gitleaks/gitleaks-action@v2
# Secret scan. Same install pattern as Trivy: gitleaks is a Go
# binary, and the official `gitleaks/gitleaks-action@v2` wrapper
# is now paywalled for organisations (a GITLEAKS_LICENSE secret
# from gitleaks.io is required, otherwise the action errors out
# with `🛑 missing gitleaks license`). The binary itself stays
# MIT-licensed and free — installing it directly bypasses the
# wrapper and gives us version pinning for free.
- name: Install gitleaks
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Bump deliberately. Same caveat as TRIVY_VERSION above —
# not Renovate-tracked out of the box. Releases:
# https://github.com/gitleaks/gitleaks/releases.
GITLEAKS_VERSION: '8.21.0'
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
run: |
curl -sfL \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-o /tmp/gitleaks.tar.gz \
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks
gitleaks version
- name: Run gitleaks
# `--no-git --source .` scans the working tree only. The scan
# job uses a shallow checkout, so a git-history scan would not
# see beyond HEAD anyway; the weekly security-scheduled
# workflow does the deep history scan with a full clone.
# `--redact` masks any matched secret in the log output so we
# do not leak it via the CI logs themselves.
run: |
gitleaks detect \
--no-git \
--source . \
--redact \
--exit-code 1
commits:
# PRs opened by Renovate (apf-portal-bot) carry commit messages