fix(ci): replace gitleaks-action with manual install #50
Reference in New Issue
Block a user
Delete Branch "fix/ci/gitleaks-manual-install"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
gitleaks/gitleaks-action@v2is now paywalled for organisations — the action requires aGITLEAKS_LICENSEsecret from gitleaks.io (commercial) or it errors out:
🛑 missing gitleaks license. Go grab one at gitleaks.io and store it as a GitHub Secret named GITLEAKS_LICENSE. Worse, on Gitea it cannot reliably detect personal-vs-org accounts (different API contract), so it defaults to license enforcement and the scan always fails. The gitleaks binary itself stays MIT-licensed and free — only the wrapper went commercial.
Mirror the pattern from #45 (Trivy): drop the wrapper, install the binary directly via curl + tar, run the CLI.
Scope of the PR
The same two broken integrations existed in
.gitea/workflows/security-scheduled.ymland would have failed silently at next Monday's cron. Fix both files in one PR for consistency.ci.yml— gitleaks step replaced. Per-PR scan uses--no-git --source .(working tree only — the scan job uses a shallow checkout anyway).security-scheduled.yml— both gitleaks AND trivy steps replaced;fetch-depth: 0added so gitleaks can do its deep history scan here (the value-add of the scheduled job over the per-PR gate);cache: 'pnpm'dropped fromactions/setup-node(consistency with #8 — the act_runner cache server is unreachable from job containers).--redacton both gitleaks invocations so any matched secret is masked in the CI log itself (avoids re-leaking via log artefacts).Trade-off
Like Trivy, gitleaks version is now manually pinned. Same comment in the workflow points to releases for bumps.
Test plan
scanjob goes green end-to-end on this PR (audit ✓, Trivy ✓, gitleaks ✓).gitleaks versionline in the install step's logs shows8.21.0.pushto main post-merge, scan stays green.security-scheduledmanually (Actions → Run workflow) to verify the deep-history scan path before next Monday's cron fires.