From 36f06727f708a6bc193a4cc2842d8a0e85faab0b Mon Sep 17 00:00:00 2001
From: Steven Sklar <steven@questdb.io>
Date: Mon, 20 Apr 2026 14:09:32 -0400
Subject: [PATCH 1/3] chore(build): guard gitleaks license and pin action SHA

---
 .github/workflows/gitleaks.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index 85e1b17e..7b03514d 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -13,7 +13,8 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@v2
+      - uses: gitleaks/gitleaks-action@83d9cd684c87d95d656c1458ef04895a7f1cbd8e
+        if: ${{ secrets.GITLEAKS_LICENSE != '' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

From cf1635a6ca66d9ffa3a0f8d1070f8666b4a5d047 Mon Sep 17 00:00:00 2001
From: Steven Sklar <steven@questdb.io>
Date: Mon, 20 Apr 2026 14:17:19 -0400
Subject: [PATCH 2/3] chore(build): guard gitleaks license and pin action SHA

---
 .github/workflows/gitleaks.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index 7b03514d..40e997ec 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -9,12 +9,14 @@ on:
 jobs:
   gitleaks:
     runs-on: ubuntu-latest
+    env:
+      HAS_GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE != '' }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - uses: gitleaks/gitleaks-action@83d9cd684c87d95d656c1458ef04895a7f1cbd8e
-        if: ${{ secrets.GITLEAKS_LICENSE != '' }}
+        if: ${{ env.HAS_GITLEAKS_LICENSE == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

From 1c7e66375e95bc4d4f22bdb75e579343f9912663 Mon Sep 17 00:00:00 2001
From: Steven Sklar <steven@questdb.io>
Date: Mon, 20 Apr 2026 14:48:55 -0400
Subject: [PATCH 3/3] chore(build): guard gitleaks license and pin action SHA

---
 .github/workflows/gitleaks.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index 40e997ec..0c023d38 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@83d9cd684c87d95d656c1458ef04895a7f1cbd8e
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7
         if: ${{ env.HAS_GITLEAKS_LICENSE == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}