From ec14acb46e65e566d04585bea167227f6af0aa6d Mon Sep 17 00:00:00 2001
From: OliverGiertz <oliver@vanityontour.de>
Date: Wed, 11 Mar 2026 08:25:53 +0000
Subject: [PATCH] fix(security-scan): resolve gitleaks version dynamically via
 API

The static URL gitleaks_linux_x64.tar.gz does not work as gitleaks
uses versioned filenames (e.g. gitleaks_8.x.x_linux_x64.tar.gz).
Fetch the latest tag via GitHub API and construct the correct URL.
---
 .github/workflows/repo-pipeline.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/repo-pipeline.yml b/.github/workflows/repo-pipeline.yml
index e792b70..dc19bab 100644
--- a/.github/workflows/repo-pipeline.yml
+++ b/.github/workflows/repo-pipeline.yml
@@ -146,7 +146,8 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
-          curl -sSL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_linux_x64.tar.gz | tar -xz
+          GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep '"tag_name"' | sed -E 's/.*"v([^"]+)".*/\1/')
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar -xz
           sudo mv gitleaks /usr/local/bin/gitleaks
           gitleaks version