core/cli
8
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

fix(ci): pin gitleaks version and harden install step
Some checks failed
Security Scan / Secret Detection (push) Successful in 12s
Details
Security Scan / Dependency & Config Scan (push) Failing after 21s
Details
Security Scan / Go Vulnerability Check (push) Failing after 2m21s
Details

Browse source 
The gitleaks install was fragile: depended on GitHub API (rate limits),
jq being present, and hardcoded x64 arch. Now pins v8.24.3, detects
arch, uses curl -f for proper error handling, and verifies install.

Co-Authored-By: Virgil <virgil@lethean.io>
This commit is contained in:
Snider 2026-02-21 19:50:28 +00:00
parent cce9adc043
commit 4163aedec1
1 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
.forgejo/workflows/security-scan.yml
View file

@ -33,8 +33,18 @@ jobs:
fetch-depth: 0
- name: Install gitleaks
run: |
GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | jq -r '.tag_name' | tr -d 'v')
curl -sL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar xz -C /usr/local/bin gitleaks
set -euo pipefail
GITLEAKS_VERSION="8.24.3"
ARCH=$(uname -m)
case "$ARCH" in
x86_64) ARCH_SUFFIX="x64" ;;
aarch64) ARCH_SUFFIX="arm64" ;;
*) echo "Unsupported arch: $ARCH"; exit 1 ;;
esac
URL="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_${ARCH_SUFFIX}.tar.gz"
echo "Downloading gitleaks v${GITLEAKS_VERSION} for ${ARCH_SUFFIX}..."
curl -fsSL "$URL" | tar xz -C /usr/local/bin gitleaks
gitleaks version
- name: Scan for secrets
run: gitleaks detect --source . --no-banner