fix(ci): add sha256 checksum verification for binary downloads

gitleaks 8.21.2 and osv-scanner 1.8.5 downloads now verified against
official release checksums before execution.

SR-1 resolution: addresses Low finding from CTO security review.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Author: CTO (UnboxAPI)

.github/workflows/ci.yml

@@ -30,9 +30,11 @@ jobs:
       - name: Install gitleaks
         run: |
           GITLEAKS_VERSION=8.21.2
+          GITLEAKS_SHA256=5bc41815076e6ed6ef8fbecc9d9b75bcae31f39029ceb55da08086315316e3ba
           curl -sSfL \
             "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
             -o /tmp/gitleaks.tar.gz
+          echo "${GITLEAKS_SHA256}  /tmp/gitleaks.tar.gz" | sha256sum -c -
           tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
           chmod +x /tmp/gitleaks
       - name: Run gitleaks (git history)
@@ -55,9 +57,11 @@ jobs:
       - name: Install osv-scanner
         run: |
           OSV_VERSION=1.8.5
+          OSV_SHA256=3f241e03861e25dc3f739794ba03ad3dffd68ef2c96c382a45df5fe734b5dc5f
           curl -sSfL \
             "https://github.com/google/osv-scanner/releases/download/v${OSV_VERSION}/osv-scanner_linux_amd64" \
             -o /tmp/osv-scanner
+          echo "${OSV_SHA256}  /tmp/osv-scanner" | sha256sum -c -
           chmod +x /tmp/osv-scanner
       - name: Run osv-scanner
         run: /tmp/osv-scanner scan --recursive .