From 25244173a41addd4a4df1fdbb61cb39c018184ed Mon Sep 17 00:00:00 2001 From: yotamelo <88616986+yotamleo@users.noreply.github.com> Date: Wed, 11 Mar 2026 00:32:44 +0100 Subject: [PATCH 1/3] fix(ci): [OPS-715] add gitleaks secret scanning with diff-scan optimization --- .github/workflows/gitleaks.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/workflows/gitleaks.yaml diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml new file mode 100644 index 0000000..06716b4 --- /dev/null +++ b/.github/workflows/gitleaks.yaml @@ -0,0 +1,14 @@ +name: gitleaks +on: + push: + branches: [main] + pull_request: +jobs: + scan: + uses: knostic/.github/.github/workflows/gitleaks.yaml@fix/gitleaks-scan-range + with: + event_name: ${{ github.event_name }} + base_sha: ${{ github.event.pull_request.base.sha || '' }} + before_sha: ${{ github.event.before || '' }} + forced: ${{ github.event.forced == true }} + secrets: inherit From a4c550ad47d30530dfc47b075d73e1bbef6eba8b Mon Sep 17 00:00:00 2001 From: yotamelo <88616986+yotamleo@users.noreply.github.com> Date: Wed, 11 Mar 2026 02:48:47 +0100 Subject: [PATCH 2/3] fix(gitleaks): add pull-requests read permission to caller [OPS-715] --- .github/workflows/gitleaks.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml index 06716b4..aac0c54 100644 --- a/.github/workflows/gitleaks.yaml +++ b/.github/workflows/gitleaks.yaml @@ -6,6 +6,9 @@ on: jobs: scan: uses: knostic/.github/.github/workflows/gitleaks.yaml@fix/gitleaks-scan-range + permissions: + contents: read + pull-requests: read with: event_name: ${{ github.event_name }} base_sha: ${{ github.event.pull_request.base.sha || '' }} From ae5517f12c86b3bdf40793248bc9d6a0c8fa4869 Mon Sep 17 00:00:00 2001 From: yotamelo <88616986+yotamleo@users.noreply.github.com> Date: Wed, 11 Mar 2026 03:13:40 +0100 Subject: [PATCH 3/3] ci: update gitleaks to inline diff-scan template --- .github/workflows/gitleaks.yaml | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml index aac0c54..27a470f 100644 --- a/.github/workflows/gitleaks.yaml +++ b/.github/workflows/gitleaks.yaml @@ -5,13 +5,31 @@ on: pull_request: jobs: scan: - uses: knostic/.github/.github/workflows/gitleaks.yaml@fix/gitleaks-scan-range + name: gitleaks + runs-on: ubuntu-latest permissions: contents: read pull-requests: read - with: - event_name: ${{ github.event_name }} - base_sha: ${{ github.event.pull_request.base.sha || '' }} - before_sha: ${{ github.event.before || '' }} - forced: ${{ github.event.forced == true }} - secrets: inherit + actions: read + checks: write + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Set scan range + id: range + run: | + NULL_SHA="0000000000000000000000000000000000000000" + if [ "${{ github.event_name }}" = "pull_request" ]; then + echo "log_opts=${{ github.event.pull_request.base.sha }}..HEAD" >> $GITHUB_OUTPUT + elif [ "${{ github.event.before }}" = "$NULL_SHA" ] || [ -z "${{ github.event.before }}" ] || [ "${{ github.event.forced }}" = "true" ]; then + echo "log_opts=" >> $GITHUB_OUTPUT + else + echo "log_opts=${{ github.event.before }}..HEAD" >> $GITHUB_OUTPUT + fi + - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} + GITLEAKS_LOG_OPTS: ${{ steps.range.outputs.log_opts }}