From 501bd51e49bcab202180e1a69b8bb56a73b30ca0 Mon Sep 17 00:00:00 2001
From: Steven Sklar <sklarsa@gmail.com>
Date: Tue, 10 Mar 2026 12:06:19 -0400
Subject: [PATCH 1/4] Add Gitleaks secret scanning workflow

---
 .github/workflows/gitleaks.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 .github/workflows/gitleaks.yml

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
new file mode 100644
index 0000000..85e1b17
--- /dev/null
+++ b/.github/workflows/gitleaks.yml
@@ -0,0 +1,19 @@
+name: Gitleaks
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

From 94abfbd7889bea7e3d13da016b78d27ea0c5bbcc Mon Sep 17 00:00:00 2001
From: Steven Sklar <steven@questdb.io>
Date: Mon, 20 Apr 2026 14:08:24 -0400
Subject: [PATCH 2/4] chore(build): guard gitleaks license and pin action SHA

---
 .github/workflows/gitleaks.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index 85e1b17..7b03514 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -13,7 +13,8 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@v2
+      - uses: gitleaks/gitleaks-action@83d9cd684c87d95d656c1458ef04895a7f1cbd8e
+        if: ${{ secrets.GITLEAKS_LICENSE != '' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

From 38528a6c1e0e7d1e819d8e41cdc84694dc754bc4 Mon Sep 17 00:00:00 2001
From: Steven Sklar <steven@questdb.io>
Date: Mon, 20 Apr 2026 14:16:04 -0400
Subject: [PATCH 3/4] chore(build): guard gitleaks license and pin action SHA

---
 .github/workflows/gitleaks.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index 7b03514..40e997e 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -9,12 +9,14 @@ on:
 jobs:
   gitleaks:
     runs-on: ubuntu-latest
+    env:
+      HAS_GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE != '' }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - uses: gitleaks/gitleaks-action@83d9cd684c87d95d656c1458ef04895a7f1cbd8e
-        if: ${{ secrets.GITLEAKS_LICENSE != '' }}
+        if: ${{ env.HAS_GITLEAKS_LICENSE == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

From a28652af8d970ca43a6321d920f74a10083567d8 Mon Sep 17 00:00:00 2001
From: Steven Sklar <steven@questdb.io>
Date: Mon, 20 Apr 2026 14:47:57 -0400
Subject: [PATCH 4/4] chore(build): guard gitleaks license and pin action SHA

---
 .github/workflows/gitleaks.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index 40e997e..0c023d3 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@83d9cd684c87d95d656c1458ef04895a7f1cbd8e
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7
         if: ${{ env.HAS_GITLEAKS_LICENSE == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}