fix(ci): replace gitleaks-action with manual install
CI / commits (pull_request) Successful in 2m9s
CI / check (pull_request) Successful in 2m31s
CI / scan (pull_request) Failing after 3m17s
CI / a11y (pull_request) Successful in 1m41s
CI / perf (pull_request) Successful in 3m1s

`gitleaks/gitleaks-action@v2` is now paywalled for organisations:
the action errors out with `🛑 missing gitleaks license. Go grab one
at gitleaks.io and store it as a GitHub Secret named
GITLEAKS_LICENSE.` Worse, it cannot reliably detect personal-vs-org
on Gitea (the GitHub API contract differs), so it defaults to
license enforcement and the scan fails. The gitleaks binary itself
remains MIT-licensed and free.

Mirror the pattern we just adopted for Trivy in #45: drop the
wrapper, install the binary directly via curl + tar from the GitHub
release, run the CLI. This:

- removes a third-party action dependency we did not need;
- pins the gitleaks version explicitly;
- harmonises with the Trivy step that lives next to it.

Apply the same change to `.gitea/workflows/security-scheduled.yml`
in the same PR — it had both broken integrations (`trivy-action
@master` plus `gitleaks-action@v2`) and was waiting silently to
fail at next Monday's cron.

Per-PR gitleaks scan uses `--no-git --source .` (working tree only)
since the scan job uses a shallow checkout; the weekly scheduled
job switches to a full clone (`fetch-depth: 0`) and runs gitleaks
in deep-history mode (default), which is the value-add of the
scheduled job over the per-PR gate.

`--redact` is added on both invocations so any matched secret is
masked in the CI log itself (no leak via the log artefact).

Also drop `cache: 'pnpm'` from `actions/setup-node` in the
scheduled workflow — we already removed it from ci.yml in #8 (the
act_runner cache server is unreachable from job containers; every
restore burns ~2 min ETIMEDOUT for zero hits). Consistency.
This commit is contained in:
Julien Gautier
2026-05-07 19:25:54 +02:00
parent 2cc795a9fd
commit 7adc6e33f5
2 changed files with 77 additions and 12 deletions
+33 -3
View File
@@ -116,10 +116,40 @@ jobs:
--exit-code 1 \
--severity CRITICAL,HIGH \
.
# Secret scan, same reasoning (gitleaks is a Go binary).
- uses: gitleaks/gitleaks-action@v2
# Secret scan. Same install pattern as Trivy: gitleaks is a Go
# binary, and the official `gitleaks/gitleaks-action@v2` wrapper
# is now paywalled for organisations (a GITLEAKS_LICENSE secret
# from gitleaks.io is required, otherwise the action errors out
# with `🛑 missing gitleaks license`). The binary itself stays
# MIT-licensed and free — installing it directly bypasses the
# wrapper and gives us version pinning for free.
- name: Install gitleaks
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Bump deliberately. Same caveat as TRIVY_VERSION above —
# not Renovate-tracked out of the box. Releases:
# https://github.com/gitleaks/gitleaks/releases.
GITLEAKS_VERSION: '8.21.0'
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
run: |
curl -sfL \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-o /tmp/gitleaks.tar.gz \
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks
gitleaks version
- name: Run gitleaks
# `--no-git --source .` scans the working tree only. The scan
# job uses a shallow checkout, so a git-history scan would not
# see beyond HEAD anyway; the weekly security-scheduled
# workflow does the deep history scan with a full clone.
# `--redact` masks any matched secret in the log output so we
# do not leak it via the CI logs themselves.
run: |
gitleaks detect \
--no-git \
--source . \
--redact \
--exit-code 1
commits:
# PRs opened by Renovate (apf-portal-bot) carry commit messages
+44 -9
View File
@@ -15,24 +15,60 @@ jobs:
full-tree-scan:
runs-on: [self-hosted, on-prem]
steps:
# fetch-depth: 0 → full history. The per-PR gitleaks scan is
# shallow + working-tree-only; this scheduled job is where we
# do the deep history scan that catches secrets ever committed
# (and not just what's currently checked in).
- uses: actions/checkout@v6
with:
fetch-depth: 0
- uses: pnpm/action-setup@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
- run: pnpm audit
# Full-tree Trivy (no skip-dirs, no severity filter — the per-PR
# gate filters by severity for speed; this run wants the full
# surface for the security feed).
- uses: aquasecurity/trivy-action@master
with:
scan-type: fs
ignore-unfixed: true
- uses: gitleaks/gitleaks-action@v2
# surface for the security feed). Manual install + curl, same
# pattern as ci.yml — see the rationale there.
- name: Install Trivy
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TRIVY_VERSION: '0.70.0'
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
run: |
curl -sfL \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-o /tmp/trivy.tar.gz \
"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy
trivy --version
- name: Run Trivy
run: |
trivy fs \
--scanners vuln \
--ignore-unfixed \
.
# Deep gitleaks scan (full git history). Same install pattern as
# ci.yml. `--redact` masks any matched secret in the log so we
# don't leak it via CI logs themselves.
- name: Install gitleaks
env:
GITLEAKS_VERSION: '8.21.0'
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
run: |
curl -sfL \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-o /tmp/gitleaks.tar.gz \
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks
gitleaks version
- name: Run gitleaks (full history)
run: |
gitleaks detect \
--source . \
--redact \
--exit-code 1
lighthouse-prod:
# Skipped silently if the prod URL hasn't been configured yet.
@@ -44,7 +80,6 @@ jobs:
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
- run: pnpm exec lhci collect --url=${{ vars.LHCI_PROD_URL }} --numberOfRuns=3
- run: pnpm exec lhci assert --config=./lighthouserc.js