chore(ci): bump gitleaks/gitleaks-action from 2 to 3#120
chore(ci): bump gitleaks/gitleaks-action from 2 to 3#120dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [gitleaks/gitleaks-action](https://github.com/gitleaks/gitleaks-action) from 2 to 3. - [Release notes](https://github.com/gitleaks/gitleaks-action/releases) - [Commits](gitleaks/gitleaks-action@v2...v3) --- updated-dependencies: - dependency-name: gitleaks/gitleaks-action dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
📝 WalkthroughWalkthroughThe CI workflow security scanning step is upgraded to use Gitleaks GitHub Action v3 instead of v2, updating a single line in the workflow configuration. ChangesCI Security Tooling
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
✅ PR size is within recommended limits |
|
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)
278-278: ⚖️ Poor tradeoffConfirm this bump is mirrored in
l9-template.This file is marked
origin: l9-template(Lines 1-9). Editing the CI pipeline directly here risks drifting from the template source of truth; the version bump should also land upstream so the template and engine repos stay in sync.As per coding guidelines: "Engine NEVER creates Dockerfile, docker-compose, CI pipeline, or Terraform modules. All exist in l9-template."
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml at line 278, The CI action version bump to gitleaks/gitleaks-action@v3 must be applied in the l9-template repo as well to avoid drift; update the corresponding CI workflow in l9-template (the file marked origin: l9-template) to use gitleaks/gitleaks-action@v3, open a PR against l9-template with that change, and then ensure this repo's change is either removed or accompanied by a reference to the upstream template PR so both repos stay in sync.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Line 278: Replace the floating action reference uses:
gitleaks/gitleaks-action@v3 with a pinned commit SHA: locate the uses entry for
gitleaks/gitleaks-action@v3 in the CI workflow and change it to the same pinning
style used for other actions (uses: gitleaks/gitleaks-action@<commit-sha>),
choosing a current stable commit SHA from the gitleaks/gitleaks-action repo;
also apply the same change in the workflow template source (origin: l9-template)
to keep the template and workflow in sync.
---
Nitpick comments:
In @.github/workflows/ci.yml:
- Line 278: The CI action version bump to gitleaks/gitleaks-action@v3 must be
applied in the l9-template repo as well to avoid drift; update the corresponding
CI workflow in l9-template (the file marked origin: l9-template) to use
gitleaks/gitleaks-action@v3, open a PR against l9-template with that change, and
then ensure this repo's change is either removed or accompanied by a reference
to the upstream template PR so both repos stay in sync.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: c82fcb92-4c65-406d-9f7d-fdb959c70640
📒 Files selected for processing (1)
.github/workflows/ci.yml
|
|
||
| - name: Run Gitleaks (Secret Detection) | ||
| uses: gitleaks/gitleaks-action@v2 | ||
| uses: gitleaks/gitleaks-action@v3 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Resolve the v3 tag (and latest v3.x release) to a commit SHA
gh api repos/gitleaks/gitleaks-action/git/refs/tags/v3 --jq '{ref, sha: .object.sha, type: .object.type}'
gh api repos/gitleaks/gitleaks-action/releases --jq '.[] | select(.tag_name|startswith("v3")) | {tag_name, target_commitish}'Repository: cryptoxdog/Cognitive.Engine.Graphs
Length of output: 216
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show relevant context around the flagged line
sed -n '260,295p' .github/workflows/ci.yml | nl -ba
# Check for template/origin markers and confirm other third-party actions are pinned to SHAs
rg -n "L9_META|origin: l9-template|layer: \[ci\]" .github/workflows/ci.yml || true
rg -n "uses: " .github/workflows/ci.yml | head -n 80Repository: cryptoxdog/Cognitive.Engine.Graphs
Length of output: 121
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show relevant context around line ~278 without relying on `nl`
sed -n '265,290p' .github/workflows/ci.yml | cat -n
# Look for template/origin markers
rg -n "L9_META|origin: l9-template|layer: \\[ci\\]" .github/workflows/ci.yml || true
# List `uses:` occurrences to confirm SHA-pinning pattern (first 120 matches for brevity)
rg -n "uses:\s*" .github/workflows/ci.yml | head -n 120Repository: cryptoxdog/Cognitive.Engine.Graphs
Length of output: 1985
Pin gitleaks/gitleaks-action@v3 to a commit SHA
.github/workflows/ci.yml(L278) uses the floating taguses: gitleaks/gitleaks-action@v3(zizmorunpinned-uses), while other third-party actions in the same workflow are pinned to commit SHAs.- The workflow is marked
origin: l9-template; apply this change in the template source to avoid drift.
🔒 Proposed fix
- uses: gitleaks/gitleaks-action@v3
+ uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e # v3🧰 Tools
🪛 zizmor (1.25.2)
[error] 278-278: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml at line 278, Replace the floating action reference
uses: gitleaks/gitleaks-action@v3 with a pinned commit SHA: locate the uses
entry for gitleaks/gitleaks-action@v3 in the CI workflow and change it to the
same pinning style used for other actions (uses:
gitleaks/gitleaks-action@<commit-sha>), choosing a current stable commit SHA
from the gitleaks/gitleaks-action repo; also apply the same change in the
workflow template source (origin: l9-template) to keep the template and workflow
in sync.



Bumps gitleaks/gitleaks-action from 2 to 3.
Release notes
Sourced from gitleaks/gitleaks-action's releases.
... (truncated)
Commits
e0c47f4chore: migrate to Node 24 runtime (v3)bf2dc8eMerge pull request #191 from Olexandr88/patch-1b71323bUpdate README.md9c66aa9Update README.md186c3feCreate FUNDING.ymlDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit