ci: bump gitleaks/gitleaks-action from 2.3.9 to 3.0.0 #89
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Gitleaks Secret Scanning | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main, develop] | |
| schedule: | |
| # Weekly full scan on Monday at 3 AM UTC | |
| - cron: "0 3 * * 1" | |
| permissions: | |
| contents: read | |
| # FIX: gitleaks-action v2 calls GET /repos/{owner}/{repo}/pulls/{n}/commits | |
| # on pull_request events to determine which commits to scan. Without this | |
| # permission the API returns HTTP 403 "Resource not accessible by integration" | |
| # crashing the action before any scan runs. | |
| pull-requests: read | |
| jobs: | |
| gitleaks: | |
| name: Scan for Secrets | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run Gitleaks | |
| id: gitleaks | |
| uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e # v3.0.0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # GITLEAKS_CONFIG points to your custom rules file at repo root. | |
| GITLEAKS_CONFIG: .gitleaks.toml | |
| # FIX: In gitleaks-action v2, report format/path are controlled by env vars. | |
| # The action does not support `with.args` in this pinned version. | |
| GITLEAKS_REPORT_FORMAT: sarif | |
| GITLEAKS_REPORT_PATH: results.sarif | |
| # FIX: Disable built-in artifact upload and upload explicitly below. | |
| # This avoids dependency on code-scanning integrations in private repos. | |
| GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false | |
| - name: Upload Gitleaks report as workflow artifact | |
| # Run even when gitleaks finds secrets (exit code 1) so the report is | |
| # always available for review — but skip when the step was cancelled. | |
| if: always() && steps.gitleaks.outcome != 'cancelled' | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: gitleaks-report | |
| path: results.sarif | |
| if-no-files-found: ignore |