fix(ci): replace gitleaks-action with manual install
`gitleaks/gitleaks-action@v2` is now paywalled for organisations: the action errors out with `🛑 missing gitleaks license. Go grab one at gitleaks.io and store it as a GitHub Secret named GITLEAKS_LICENSE.` Worse, it cannot reliably detect personal-vs-org on Gitea (the GitHub API contract differs), so it defaults to license enforcement and the scan fails. The gitleaks binary itself remains MIT-licensed and free. Mirror the pattern we just adopted for Trivy in #45: drop the wrapper, install the binary directly via curl + tar from the GitHub release, run the CLI. This: - removes a third-party action dependency we did not need; - pins the gitleaks version explicitly; - harmonises with the Trivy step that lives next to it. Apply the same change to `.gitea/workflows/security-scheduled.yml` in the same PR — it had both broken integrations (`trivy-action @master` plus `gitleaks-action@v2`) and was waiting silently to fail at next Monday's cron. Per-PR gitleaks scan uses `--no-git --source .` (working tree only) since the scan job uses a shallow checkout; the weekly scheduled job switches to a full clone (`fetch-depth: 0`) and runs gitleaks in deep-history mode (default), which is the value-add of the scheduled job over the per-PR gate. `--redact` is added on both invocations so any matched secret is masked in the CI log itself (no leak via the log artefact). Also drop `cache: 'pnpm'` from `actions/setup-node` in the scheduled workflow — we already removed it from ci.yml in #8 (the act_runner cache server is unreachable from job containers; every restore burns ~2 min ETIMEDOUT for zero hits). Consistency.
This commit is contained in:
@@ -15,24 +15,60 @@ jobs:
|
||||
full-tree-scan:
|
||||
runs-on: [self-hosted, on-prem]
|
||||
steps:
|
||||
# fetch-depth: 0 → full history. The per-PR gitleaks scan is
|
||||
# shallow + working-tree-only; this scheduled job is where we
|
||||
# do the deep history scan that catches secrets ever committed
|
||||
# (and not just what's currently checked in).
|
||||
- uses: actions/checkout@v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- uses: pnpm/action-setup@v6
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version-file: '.nvmrc'
|
||||
cache: 'pnpm'
|
||||
- run: pnpm install --frozen-lockfile
|
||||
- run: pnpm audit
|
||||
# Full-tree Trivy (no skip-dirs, no severity filter — the per-PR
|
||||
# gate filters by severity for speed; this run wants the full
|
||||
# surface for the security feed).
|
||||
- uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: fs
|
||||
ignore-unfixed: true
|
||||
- uses: gitleaks/gitleaks-action@v2
|
||||
# surface for the security feed). Manual install + curl, same
|
||||
# pattern as ci.yml — see the rationale there.
|
||||
- name: Install Trivy
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
TRIVY_VERSION: '0.70.0'
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
|
||||
run: |
|
||||
curl -sfL \
|
||||
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
||||
-o /tmp/trivy.tar.gz \
|
||||
"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
|
||||
tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy
|
||||
trivy --version
|
||||
- name: Run Trivy
|
||||
run: |
|
||||
trivy fs \
|
||||
--scanners vuln \
|
||||
--ignore-unfixed \
|
||||
.
|
||||
# Deep gitleaks scan (full git history). Same install pattern as
|
||||
# ci.yml. `--redact` masks any matched secret in the log so we
|
||||
# don't leak it via CI logs themselves.
|
||||
- name: Install gitleaks
|
||||
env:
|
||||
GITLEAKS_VERSION: '8.21.0'
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
|
||||
run: |
|
||||
curl -sfL \
|
||||
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
||||
-o /tmp/gitleaks.tar.gz \
|
||||
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
|
||||
tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks
|
||||
gitleaks version
|
||||
- name: Run gitleaks (full history)
|
||||
run: |
|
||||
gitleaks detect \
|
||||
--source . \
|
||||
--redact \
|
||||
--exit-code 1
|
||||
|
||||
lighthouse-prod:
|
||||
# Skipped silently if the prod URL hasn't been configured yet.
|
||||
@@ -44,7 +80,6 @@ jobs:
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version-file: '.nvmrc'
|
||||
cache: 'pnpm'
|
||||
- run: pnpm install --frozen-lockfile
|
||||
- run: pnpm exec lhci collect --url=${{ vars.LHCI_PROD_URL }} --numberOfRuns=3
|
||||
- run: pnpm exec lhci assert --config=./lighthouserc.js
|
||||
|
||||
Reference in New Issue
Block a user