Skip to content

chore(build): add gitleaks secret scanning workflow#59

Open
sklarsa wants to merge 4 commits into
mainfrom
add-gitleaks-workflow
Open

chore(build): add gitleaks secret scanning workflow#59
sklarsa wants to merge 4 commits into
mainfrom
add-gitleaks-workflow

Conversation

@sklarsa

@sklarsa sklarsa commented Mar 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds a Gitleaks GitHub Actions workflow to scan for secrets on pull requests and pushes to the default branch
  • Uses gitleaks/gitleaks-action@v2 with GITLEAKS_LICENSE secret

Reference: questdb/questdb#6863

@sklarsa

sklarsa commented Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

Gitleaks workflow — verification summary

Cross-checked this workflow against the canonical questdb/questdb .github/workflows/gitleaks.yml (from questdb/questdb#6863) and questdb-enterprise:

  • License guard is byte-identical to both references — job-level HAS_GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE != '' }} gating the step via if: ${{ env.HAS_GITLEAKS_LICENSE == 'true' }}. This is the correct form: the secrets context is not available inside an if:, so the check must be routed through a job-level env var. (A direct if: ${{ secrets.GITLEAKS_LICENSE != '' }} would always evaluate false and silently skip the scan.)
  • Action pinned to the same commit SHA as the references (ff98106e4c7b2bc287b24eaf42907196329070c7).
  • push trigger correctly targets this repo's default branch (main); pull_request covers PRs.
  • Fork PRs safely skip the licensed scan instead of failing (secrets aren't passed to forks).
  • gitleaks CI check is green.

Only delta vs questdb/questdb is actions/checkout@v4 vs @v5 (v4 matches questdb-enterprise) — cosmetic, no change needed. LGTM ✅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant