From f34ff1d8cd056bb060a4824de17e08c80ac32bc2 Mon Sep 17 00:00:00 2001
From: Steven Sklar <steven@questdb.io>
Date: Mon, 20 Apr 2026 14:09:12 -0400
Subject: [PATCH 1/3] chore(build): guard gitleaks license and pin action SHA

---
 .github/workflows/gitleaks.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index 72631e699..574462233 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -17,7 +17,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
-        if: ${{ env.GITLEAKS_LICENSE != '' }}
+      - uses: gitleaks/gitleaks-action@83d9cd684c87d95d656c1458ef04895a7f1cbd8e
+        if: ${{ secrets.GITLEAKS_LICENSE != '' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From b3466d3da9eadd5487d33d2e6cdab9f7d03e3b27 Mon Sep 17 00:00:00 2001
From: Steven Sklar <steven@questdb.io>
Date: Mon, 20 Apr 2026 14:17:04 -0400
Subject: [PATCH 2/3] chore(build): guard gitleaks license and pin action SHA

---
 .github/workflows/gitleaks.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index 574462233..eff6edd1f 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -10,6 +10,7 @@ jobs:
   gitleaks:
     runs-on: ubuntu-latest
     env:
+      HAS_GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE != '' }}
       # Hoisted to job-level env because the `secrets` context is not
       # available in step-level `if` expressions; `env` is.
       GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
@@ -18,6 +19,6 @@ jobs:
         with:
           fetch-depth: 0
       - uses: gitleaks/gitleaks-action@83d9cd684c87d95d656c1458ef04895a7f1cbd8e
-        if: ${{ secrets.GITLEAKS_LICENSE != '' }}
+        if: ${{ env.HAS_GITLEAKS_LICENSE == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 94ce2d5b150fef6eb8f78deb8f7293c370e50511 Mon Sep 17 00:00:00 2001
From: Steven Sklar <steven@questdb.io>
Date: Mon, 20 Apr 2026 14:48:37 -0400
Subject: [PATCH 3/3] chore(build): guard gitleaks license and pin action SHA

---
 .github/workflows/gitleaks.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index eff6edd1f..4c158efd0 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -18,7 +18,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@83d9cd684c87d95d656c1458ef04895a7f1cbd8e
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7
         if: ${{ env.HAS_GITLEAKS_LICENSE == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}