From 5056807afff23a655b97716b34bbb284823abbde Mon Sep 17 00:00:00 2001
From: heznpc <heznpc@gmail.com>
Date: Sat, 2 May 2026 10:29:30 +0900
Subject: [PATCH] chore(security): pin gitleaks 8.30.1 with sha256 checksum
 verification

Replace 'curl latest release' with a version- and checksum-pinned download.
Removes the implicit trust in whatever 'latest' resolved to at CI time and
makes the checksum bump-block visible in PR review when the version moves.

Checksum from:
  https://github.com/gitleaks/gitleaks/releases/download/v8.30.1/gitleaks_8.30.1_checksums.txt
---
 .github/workflows/ci.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 49969b5..595bd16 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,9 +19,16 @@ jobs:
           fetch-depth: 0
 
       - name: Scan for secrets
+        env:
+          # Bump together; checksum from
+          # https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_checksums.txt
+          GITLEAKS_VERSION: 8.30.1
+          GITLEAKS_SHA256: 551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb
         run: |
-          curl -sSfL "$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest \
-            | grep -o 'https://[^"]*linux_x64.tar.gz')" | tar xz -C /tmp
+          set -euo pipefail
+          curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" -o /tmp/gitleaks.tgz
+          echo "${GITLEAKS_SHA256}  /tmp/gitleaks.tgz" | sha256sum -c -
+          tar xz -C /tmp -f /tmp/gitleaks.tgz
           /tmp/gitleaks detect --source . --verbose --redact
 
       - name: Check for large files