fix(ci): release.yaml duplicate permissions + gitleaks OSS binary

- release.yaml had two `permissions:` blocks on the `release` job which made
  GitHub Actions reject the workflow file entirely (failure at parse time, 0s).
  Merged into a single block with the union of both sets (contents/id-token/
  packages/issues/actions).

- gitleaks workflow used gitleaks/gitleaks-action@v2 which now requires a paid
  GITLEAKS_LICENSE for org repos. Replaced with a direct binary install
  (v8.21.2) + SARIF artifact upload. Same .gitleaks.toml + same fail-on-finding
  behavior, no license required.

Both validated with `actionlint`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Shaw

.github/workflows/gitleaks.yml

@@ -25,14 +25,38 @@ jobs:
           # Full history so gitleaks can scan the diff range on PRs.
           fetch-depth: 0
 
+      - name: Install gitleaks (OSS binary — no license required)
+        # gitleaks/gitleaks-action@v2 requires a paid license for org repos.
+        # We download the OSS CLI directly so the scan remains free and
+        # honors our .gitleaks.toml allowlist + custom rules.
+        run: |
+          set -euo pipefail
+          GITLEAKS_VERSION=8.21.2
+          curl -sSL -o /tmp/gitleaks.tar.gz \
+            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+          tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
+          sudo install -m 0755 /tmp/gitleaks /usr/local/bin/gitleaks
+          gitleaks version
+
       - name: Run gitleaks
-        # gitleaks/gitleaks-action@v2
-        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7
-        env:
-          # No license — uses default OSS scanning. Set GITLEAKS_LICENSE if/when
-          # an org license is provisioned for richer scans.
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITLEAKS_CONFIG: .gitleaks.toml
-          GITLEAKS_ENABLE_COMMENTS: "false"
-          GITLEAKS_ENABLE_UPLOAD_ARTIFACT: "true"
-          GITLEAKS_ENABLE_SUMMARY: "true"
+        # Scan the full working tree. Returns non-zero on any finding so the
+        # job fails the build the same way the wrapper action did.
+        run: |
+          gitleaks detect \
+            --config .gitleaks.toml \
+            --source . \
+            --verbose \
+            --redact \
+            --report-format sarif \
+            --report-path gitleaks.sarif \
+            --no-banner
+
+      - name: Upload SARIF
+        if: always()
+        # actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882
+        with:
+          name: gitleaks-sarif
+          path: gitleaks.sarif
+          if-no-files-found: ignore
+          retention-days: 7

.github/workflows/release.yaml

@@ -55,6 +55,9 @@ jobs:
     permissions:
       contents: write   # release commits push lerna version bumps + git tags
       id-token: write   # OIDC for npm publish
+      packages: write   # publish to GitHub Packages mirror
+      issues: write     # comment on release-tracking issues
+      actions: read     # read other workflow runs for context
     # Skip if commit message contains [skip ci]. Alpha releases are disabled;
     # prerelease GitHub-release events are skipped so tag pushes are the single
     # npm publication path for beta versions.
@@ -65,12 +68,6 @@ jobs:
         !(github.ref_type == 'tag' && contains(github.ref_name || '', '-alpha'))
       }}
 
-    permissions:
-      contents: write
-      packages: write
-      issues: write
-      actions: read
-
     steps:
       - name: Checkout code
         uses: actions/checkout@v4