From 1c14c331ae814b8b507c495290dc262486e616b1 Mon Sep 17 00:00:00 2001 From: yotamelo <88616986+yotamleo@users.noreply.github.com> Date: Wed, 11 Mar 2026 00:32:05 +0100 Subject: [PATCH 1/9] fix(ci): [OPS-715] add gitleaks secret scanning with diff-scan optimization --- .github/workflows/gitleaks.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/workflows/gitleaks.yaml diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml new file mode 100644 index 0000000..af5f1f2 --- /dev/null +++ b/.github/workflows/gitleaks.yaml @@ -0,0 +1,14 @@ +name: gitleaks +on: + push: + branches: [main] + pull_request: +jobs: + scan: + uses: knostic/.github/.github/workflows/gitleaks.yaml@fix/gitleaks-scan-range + with: + event_name: ${{ github.event_name }} + base_sha: ${{ github.event.pull_request.base.sha || '' }} + before_sha: ${{ github.event.before || '' }} + forced: ${{ github.event.forced == true }} + secrets: inherit \ No newline at end of file From 451bc6e468cc827898cc8fa2a05cacca73a4502b Mon Sep 17 00:00:00 2001 From: yotamelo <88616986+yotamleo@users.noreply.github.com> Date: Wed, 11 Mar 2026 02:48:33 +0100 Subject: [PATCH 2/9] fix(gitleaks): add pull-requests read permission to caller [OPS-715] --- .github/workflows/gitleaks.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml index af5f1f2..aac0c54 100644 --- a/.github/workflows/gitleaks.yaml +++ b/.github/workflows/gitleaks.yaml @@ -6,9 +6,12 @@ on: jobs: scan: uses: knostic/.github/.github/workflows/gitleaks.yaml@fix/gitleaks-scan-range + permissions: + contents: read + pull-requests: read with: event_name: ${{ github.event_name }} base_sha: ${{ github.event.pull_request.base.sha || '' }} before_sha: ${{ github.event.before || '' }} forced: ${{ github.event.forced == true }} - secrets: inherit \ No newline at end of file + secrets: inherit From 593db2a152a57431e3238f8e5a801ba6671e4ff2 Mon Sep 17 00:00:00 2001 From: yotamelo <88616986+yotamleo@users.noreply.github.com> Date: Wed, 11 Mar 2026 02:55:50 +0100 Subject: [PATCH 3/9] fix(gitleaks): remove invalid job-level permissions from reusable workflow caller [OPS-715] --- .github/workflows/gitleaks.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml index aac0c54..06716b4 100644 --- a/.github/workflows/gitleaks.yaml +++ b/.github/workflows/gitleaks.yaml @@ -6,9 +6,6 @@ on: jobs: scan: uses: knostic/.github/.github/workflows/gitleaks.yaml@fix/gitleaks-scan-range - permissions: - contents: read - pull-requests: read with: event_name: ${{ github.event_name }} base_sha: ${{ github.event.pull_request.base.sha || '' }} From 516b00002c8b4c5a0975cf8e5583291902f8eca0 Mon Sep 17 00:00:00 2001 From: yotamelo <88616986+yotamleo@users.noreply.github.com> Date: Wed, 11 Mar 2026 02:58:06 +0100 Subject: [PATCH 4/9] fix(gitleaks): use toJSON for boolean forced input [OPS-715] --- .github/workflows/gitleaks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml index 06716b4..02c3db8 100644 --- a/.github/workflows/gitleaks.yaml +++ b/.github/workflows/gitleaks.yaml @@ -10,5 +10,5 @@ jobs: event_name: ${{ github.event_name }} base_sha: ${{ github.event.pull_request.base.sha || '' }} before_sha: ${{ github.event.before || '' }} - forced: ${{ github.event.forced == true }} + forced: ${{ toJSON(github.event.forced == true) }} secrets: inherit From f4780dd8cbd66f82d4c13f9f3942ae5d5abb91b9 Mon Sep 17 00:00:00 2001 From: yotamelo <88616986+yotamleo@users.noreply.github.com> Date: Wed, 11 Mar 2026 02:59:16 +0100 Subject: [PATCH 5/9] fix(gitleaks): minimal template matching CRAST-E2E [OPS-715] --- .github/workflows/gitleaks.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml index 02c3db8..bd34697 100644 --- a/.github/workflows/gitleaks.yaml +++ b/.github/workflows/gitleaks.yaml @@ -8,7 +8,6 @@ jobs: uses: knostic/.github/.github/workflows/gitleaks.yaml@fix/gitleaks-scan-range with: event_name: ${{ github.event_name }} - base_sha: ${{ github.event.pull_request.base.sha || '' }} before_sha: ${{ github.event.before || '' }} - forced: ${{ toJSON(github.event.forced == true) }} + forced: ${{ github.event.forced == true }} secrets: inherit From 65c9cce6f006d2265aabe22e550442a5b63dcd13 Mon Sep 17 00:00:00 2001 From: yotamelo <88616986+yotamleo@users.noreply.github.com> Date: Wed, 11 Mar 2026 03:00:28 +0100 Subject: [PATCH 6/9] fix(gitleaks): match CRAST-E2E exactly - push only [OPS-715] --- .github/workflows/gitleaks.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml index bd34697..40204e8 100644 --- a/.github/workflows/gitleaks.yaml +++ b/.github/workflows/gitleaks.yaml @@ -1,8 +1,6 @@ name: gitleaks on: push: - branches: [main] - pull_request: jobs: scan: uses: knostic/.github/.github/workflows/gitleaks.yaml@fix/gitleaks-scan-range From 5773d9b2d8b10f27750f75f8119106d10484f13f Mon Sep 17 00:00:00 2001 From: yotamelo <88616986+yotamleo@users.noreply.github.com> Date: Wed, 11 Mar 2026 03:03:10 +0100 Subject: [PATCH 7/9] fix(gitleaks): use SHA ref for shared workflow [OPS-715] --- .github/workflows/gitleaks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml index 40204e8..dc5a5e1 100644 --- a/.github/workflows/gitleaks.yaml +++ b/.github/workflows/gitleaks.yaml @@ -3,7 +3,7 @@ on: push: jobs: scan: - uses: knostic/.github/.github/workflows/gitleaks.yaml@fix/gitleaks-scan-range + uses: knostic/.github/.github/workflows/gitleaks.yaml@dcc58a2ba99425861ace0857b8644eb2165f2aed with: event_name: ${{ github.event_name }} before_sha: ${{ github.event.before || '' }} From 0eaa0d94848a2c80619aa03d3ac414784598ea49 Mon Sep 17 00:00:00 2001 From: yotamelo <88616986+yotamleo@users.noreply.github.com> Date: Wed, 11 Mar 2026 03:04:27 +0100 Subject: [PATCH 8/9] test(gitleaks): inline gitleaks to debug shared workflow issue [OPS-715] --- .github/workflows/gitleaks.yaml | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml index dc5a5e1..afd6c83 100644 --- a/.github/workflows/gitleaks.yaml +++ b/.github/workflows/gitleaks.yaml @@ -1,11 +1,19 @@ name: gitleaks on: push: + pull_request: jobs: scan: - uses: knostic/.github/.github/workflows/gitleaks.yaml@dcc58a2ba99425861ace0857b8644eb2165f2aed - with: - event_name: ${{ github.event_name }} - before_sha: ${{ github.event.before || '' }} - forced: ${{ github.event.forced == true }} - secrets: inherit + name: gitleaks + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} From eee02fa42b031ddcc2588e8d756ebcbfc96d76f9 Mon Sep 17 00:00:00 2001 From: yotamelo <88616986+yotamleo@users.noreply.github.com> Date: Wed, 11 Mar 2026 03:13:37 +0100 Subject: [PATCH 9/9] ci: update gitleaks to inline diff-scan template --- .github/workflows/gitleaks.yaml | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml index afd6c83..27a470f 100644 --- a/.github/workflows/gitleaks.yaml +++ b/.github/workflows/gitleaks.yaml @@ -1,6 +1,7 @@ name: gitleaks on: push: + branches: [main] pull_request: jobs: scan: @@ -9,11 +10,26 @@ jobs: permissions: contents: read pull-requests: read + actions: read + checks: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 with: fetch-depth: 0 - - uses: gitleaks/gitleaks-action@v2 + persist-credentials: false + - name: Set scan range + id: range + run: | + NULL_SHA="0000000000000000000000000000000000000000" + if [ "${{ github.event_name }}" = "pull_request" ]; then + echo "log_opts=${{ github.event.pull_request.base.sha }}..HEAD" >> $GITHUB_OUTPUT + elif [ "${{ github.event.before }}" = "$NULL_SHA" ] || [ -z "${{ github.event.before }}" ] || [ "${{ github.event.forced }}" = "true" ]; then + echo "log_opts=" >> $GITHUB_OUTPUT + else + echo "log_opts=${{ github.event.before }}..HEAD" >> $GITHUB_OUTPUT + fi + - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} + GITLEAKS_LOG_OPTS: ${{ steps.range.outputs.log_opts }}