chore(build): guard gitleaks license and pin action SHA

[sklarsa]

Summary

• skip the gitleaks action when GITLEAKS_LICENSE is unavailable
• pin gitleaks/gitleaks-action to commit 83d9cd684c87d95d656c1458ef04895a7f1cbd8e

Why

Public forks do not have access to GITLEAKS_LICENSE, so the workflow should skip that step instead of failing on forked pull requests.

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow for secrets scanning. The security scanner now conditionally runs based on license availability and has been upgraded to a more stable version for improved reliability.

[coderabbitai]

📝 Walkthrough

Walkthrough

The gitleaks GitHub Actions workflow is updated to pin gitleaks/gitleaks-action to a specific commit SHA (replacing the previous v2 tag) and to conditionally execute the scan step only when secrets.GITLEAKS_LICENSE is non-empty, controlled via a new job-level HAS_GITLEAKS_LICENSE environment variable.

Changes

Gitleaks Workflow Update

Layer / File(s)	Summary
Pin SHA and conditional step guard .github/workflows/gitleaks.yml	Adds HAS_GITLEAKS_LICENSE env flag populated from secrets.GITLEAKS_LICENSE, pins the action reference from v2 to a commit SHA, and guards the step with if: ${{ env.HAS_GITLEAKS_LICENSE == 'true' }}.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A rabbit checks secrets before the scan runs,
No license? No worries, we skip it for fun!
The SHA is now pinned, no drifting allowed,
Our workflow stays tidy, our codebase is proud.
🐇✨ Hop hop, all is well!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the two main changes: guarding the gitleaks license availability and pinning the action to a specific SHA.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sklarsa/gitleaks-license-guard-20260420180932

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/gitleaks.yml:
- Line 15: The actions/checkout action on line 15 uses a floating tag (`@v4`)
instead of a pinned commit SHA, which creates supply-chain risk and differs from
the gitleaks action pinning approach on line 18. Replace the `@v4` tag with a full
commit SHA (in the format @<full-commit-hash>) to match the security and
consistency practices already established by the pinned gitleaks action in the
same workflow.
- Around line 16-17: The checkout action in the gitleaks workflow is missing the
persist-credentials setting. Add persist-credentials: false to the with section
of the checkout action (where fetch-depth: 0 is currently specified) to prevent
unnecessary exposure of the GITHUB_TOKEN in git config, since gitleaks-action
receives the token via environment variables and does not require authenticated
git access.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2f9747e5-e930-44b7-9927-4c3d96b5c233

📥 Commits

Reviewing files that changed from the base of the PR and between 58fc055 and 57c2d3c.

📒 Files selected for processing (1)

• .github/workflows/gitleaks.yml