From 24618d401da834a92b1db9e7edd60122d799a80a Mon Sep 17 00:00:00 2001
From: Argus <argus@openclaw.ai>
Date: Sat, 23 May 2026 09:26:09 +0200
Subject: [PATCH] =?UTF-8?q?fix(ci):=20pin=20gitleaks-action=20to=20v1=20?=
 =?UTF-8?q?=E2=80=94=20v2=20requires=20paid=20license?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

gitleaks-action v2 now requires a GITLEAKS_LICENSE GitHub secret (paid).
Pin to v1 which remains free for open-source repos.

Alternative: add GITLEAKS_LICENSE org/repo secret and unpin.

Refs: #3018 context, CI escalation 2026-05-23
---
 .github/workflows/security-scan.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 074cb3ea2..d5706ede1 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -81,9 +81,10 @@ jobs:
         with:
           fetch-depth: 0
 
-      # gitleaks-action v2 auto-detects .gitleaks.toml config
-      # and runs: gitleaks detect --source . [--config .gitleaks.toml]
+      # gitleaks-action v2 requires a paid license (GITLEAKS_LICENSE secret).
+      # Pin to v1 which remains free for open-source use.
+      # TODO: evaluate v2 license or alternative secret scanning (Trivy fs scan already covers secrets).
       - name: Run Gitleaks
-        uses: gitleaks/gitleaks-action@v2
+        uses: gitleaks/gitleaks-action@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}