From 83df4ff8ede3b1c117a4803f77562a1192301ff5 Mon Sep 17 00:00:00 2001
From: Jaromir Hamala <jaromir.hamala@gmail.com>
Date: Tue, 14 Apr 2026 23:08:59 +0200
Subject: [PATCH] ci(gitleaks): pin action to SHA and skip when license secret
 is missing

Pin gitleaks/gitleaks-action to a full commit SHA (v2.3.9) instead of
the mutable v2 tag, so a compromise of the upstream repo or tag can't
silently change what runs in CI.

Skip the step when GITLEAKS_LICENSE is empty. Pull requests from forks
don't receive org secrets, which was causing the check to fail on
external contributor PRs (e.g. #390).
---
 .github/workflows/gitleaks.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index 85e1b17eb..72631e699 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -9,11 +9,15 @@ on:
 jobs:
   gitleaks:
     runs-on: ubuntu-latest
+    env:
+      # Hoisted to job-level env because the `secrets` context is not
+      # available in step-level `if` expressions; `env` is.
+      GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@v2
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
+        if: ${{ env.GITLEAKS_LICENSE != '' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}