From 4163aedec1042fa1da6d72321eeeb7a1f51e3bd4 Mon Sep 17 00:00:00 2001
From: Snider <snider@host.uk.com>
Date: Sat, 21 Feb 2026 19:50:28 +0000
Subject: [PATCH] fix(ci): pin gitleaks version and harden install step

The gitleaks install was fragile: depended on GitHub API (rate limits),
jq being present, and hardcoded x64 arch. Now pins v8.24.3, detects
arch, uses curl -f for proper error handling, and verifies install.

Co-Authored-By: Virgil <virgil@lethean.io>
---
 .forgejo/workflows/security-scan.yml | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/.forgejo/workflows/security-scan.yml b/.forgejo/workflows/security-scan.yml
index 7544d94a..8f95ce86 100644
--- a/.forgejo/workflows/security-scan.yml
+++ b/.forgejo/workflows/security-scan.yml
@@ -33,8 +33,18 @@ jobs:
           fetch-depth: 0
       - name: Install gitleaks
         run: |
-          GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | jq -r '.tag_name' | tr -d 'v')
-          curl -sL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar xz -C /usr/local/bin gitleaks
+          set -euo pipefail
+          GITLEAKS_VERSION="8.24.3"
+          ARCH=$(uname -m)
+          case "$ARCH" in
+            x86_64)  ARCH_SUFFIX="x64" ;;
+            aarch64) ARCH_SUFFIX="arm64" ;;
+            *)       echo "Unsupported arch: $ARCH"; exit 1 ;;
+          esac
+          URL="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_${ARCH_SUFFIX}.tar.gz"
+          echo "Downloading gitleaks v${GITLEAKS_VERSION} for ${ARCH_SUFFIX}..."
+          curl -fsSL "$URL" | tar xz -C /usr/local/bin gitleaks
+          gitleaks version
       - name: Scan for secrets
         run: gitleaks detect --source . --no-banner