ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads

Author: Som3a99

.github/workflows/codeql-analysis.yml

@@ -56,7 +56,11 @@ jobs:
         uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
         with:
           category: "/language:${{ matrix.language }}"
-          # upload: false is NOT set — we attempt upload normally.
-          # On private repos without GHAS the upload will warn but the job still passes
-          # because the action only hard-errors when security-events write is explicitly denied.
-        continue-on-error: false
+          # FIX: Disable SARIF upload to GitHub's code-scanning API.
+          # This repo is private without GitHub Advanced Security, so the upload
+          # endpoint returns "Code scanning is not enabled" and fails the job.
+          # The scan itself completes successfully — disabling upload lets the
+          # job pass while preserving full analysis coverage.
+          # To re-enable: remove this line and enable Code Scanning at
+          # Settings → Code security → Code scanning (requires GHAS).
+          upload: false

.github/workflows/gitleaks.yml

@@ -11,6 +11,11 @@ on:
 
 permissions:
   contents: read
+  # FIX: gitleaks-action v2 calls GET /repos/{owner}/{repo}/pulls/{n}/commits
+  # on pull_request events to determine which commits to scan. Without this
+  # permission the API returns HTTP 403 "Resource not accessible by integration"
+  # crashing the action before any scan runs.
+  pull-requests: read
 
 jobs:
   gitleaks:
@@ -23,24 +28,30 @@ jobs:
           fetch-depth: 0
 
       - name: Run Gitleaks
+        id: gitleaks
         uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # Fix: In gitleaks-action v2, report format/path are controlled via
-          # GITLEAKS_REPORT_FORMAT and GITLEAKS_REPORT_PATH env vars, NOT via
-          # the `with.args` parameter (which is ignored by this action version).
-          GITLEAKS_REPORT_FORMAT: sarif
-          GITLEAKS_REPORT_PATH: results.sarif
+          # GITLEAKS_CONFIG points to your custom rules file at repo root.
           GITLEAKS_CONFIG: .gitleaks.toml
-        # Note: `with.args` has been removed — gitleaks-action v2 does not
-        # expose an `args` input; using it silently had no effect, which is
-        # why results.sarif was never created and the upload step failed.
+          # FIX: gitleaks-action v2 auto-generates a SARIF file internally and
+          # handles its own artifact upload when GITLEAKS_ENABLE_UPLOAD_ARTIFACT=true
+          # (the default). The `with.args` parameter does not exist in this action
+          # and was silently ignored — that is why results.sarif was never written
+          # to disk, causing the upload step to fail with "file not found".
+          # Uploading SARIF to the code-scanning API also requires GitHub Advanced
+          # Security (GHAS), which is not available on private free-plan repos.
+          # We therefore disable the built-in artifact upload and instead capture
+          # the report ourselves below using actions/upload-artifact (no GHAS needed).
+          GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false
 
-      - name: Upload Gitleaks SARIF report
-        if: always()
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
-        # Fix: was using unpinned `@v4` tag — now pinned to the same commit
-        # SHA used by the rest of the workflow for supply-chain consistency.
+      - name: Upload Gitleaks report as workflow artifact
+        # Run even when gitleaks finds secrets (exit code 1) so the report is
+        # always available for review — but skip when the step was cancelled.
+        if: always() && steps.gitleaks.outcome != 'cancelled'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          sarif_file: results.sarif
-        continue-on-error: true
+          name: gitleaks-report
+          # gitleaks-action v2 writes the SARIF to this fixed path
+          path: results.sarif
+          if-no-files-found: ignore