diff --git a/.github/workflows/secret-scanner-reusable.yml b/.github/workflows/secret-scanner-reusable.yml index 12cf6d92..4131af91 100644 --- a/.github/workflows/secret-scanner-reusable.yml +++ b/.github/workflows/secret-scanner-reusable.yml @@ -85,20 +85,42 @@ jobs: # `contents: read`, which they get from the workflow-level block. permissions: contents: read - # gitleaks-action's `ScanPullRequest` posts a summary comment via - # the GitHub Issues/PR API. We disabled it via env vars below. steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - with: - fetch-depth: 0 - - name: Gitleaks Secret Scan - continue-on-error: true # gitleaks-action tool-cache PATH injection unreliable on self-hosted runners - uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e # v3.0.0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITLEAKS_ENABLE_COMMENTS: false - GITLEAKS_ENABLE_SUMMARY: false + # Gitleaks runs as a pinned, checksum-verified binary rather than via + # gitleaks/gitleaks-action. The action injects gitleaks into the runner + # tool-cache and prepends it to PATH, which is unreliable on self-hosted + # runners — that unreliability was the reason this step previously carried + # `continue-on-error: true`, i.e. the estate's primary secret scanner + # could not fail a PR. A pinned direct install is deterministic on every + # runner, so the scan gates for real. + - name: Install gitleaks (pinned + checksum-verified) + run: | + set -euo pipefail + GITLEAKS_VERSION=8.18.4 + SHA256=ba6dbb656933921c775ee5a2d1c13a91046e7952e9d919f9bac4cec61d628e7d + cd "$RUNNER_TEMP" + curl -fsSL -o gitleaks.tar.gz \ + "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" + echo "${SHA256} gitleaks.tar.gz" | sha256sum -c - + tar -xzf gitleaks.tar.gz gitleaks + chmod +x gitleaks + ./gitleaks version + + # Scans the checked-out working tree (--no-git): deterministic and fast. + # A finding exits non-zero and fails the check. Full-history scanning is + # available by removing --no-git and adding `fetch-depth: 0` to the + # checkout above, at the cost of a slower scan on every PR. + - name: Gitleaks secret scan (gating) + run: | + set -euo pipefail + "$RUNNER_TEMP/gitleaks" detect \ + --source . \ + --no-git \ + --redact \ + --no-banner \ + --exit-code 1 # Rust-specific: hardcoded crypto values. Self-skips when no Cargo.toml # is present, so this job is safe to run on non-Rust repos.