From ba11f6b4d942b0a5e7110e52eba8ecf707c854f2 Mon Sep 17 00:00:00 2001
From: Steven Sklar <steven@questdb.io>
Date: Mon, 20 Apr 2026 14:11:45 -0400
Subject: [PATCH 1/3] chore(build): guard gitleaks license and pin action SHA

---
 .github/workflows/gitleaks.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index 5fa6466..9a316a5 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -13,7 +13,8 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@v2
+      - uses: gitleaks/gitleaks-action@83d9cd684c87d95d656c1458ef04895a7f1cbd8e
+        if: ${{ secrets.GITLEAKS_LICENSE != '' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

From 34114547f777cf11d91cb6dd7e64b246e03d2f81 Mon Sep 17 00:00:00 2001
From: Steven Sklar <steven@questdb.io>
Date: Mon, 20 Apr 2026 14:19:07 -0400
Subject: [PATCH 2/3] chore(build): guard gitleaks license and pin action SHA

---
 .github/workflows/gitleaks.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index 9a316a5..2d54f05 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -9,12 +9,14 @@ on:
 jobs:
   gitleaks:
     runs-on: ubuntu-latest
+    env:
+      HAS_GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE != '' }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - uses: gitleaks/gitleaks-action@83d9cd684c87d95d656c1458ef04895a7f1cbd8e
-        if: ${{ secrets.GITLEAKS_LICENSE != '' }}
+        if: ${{ env.HAS_GITLEAKS_LICENSE == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

From ce1185638de0537e414b21f5716fff7e86db98b2 Mon Sep 17 00:00:00 2001
From: Steven Sklar <steven@questdb.io>
Date: Mon, 20 Apr 2026 14:54:15 -0400
Subject: [PATCH 3/3] chore(build): guard gitleaks license and pin action SHA

---
 .github/workflows/gitleaks.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index 2d54f05..6b65310 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@83d9cd684c87d95d656c1458ef04895a7f1cbd8e
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7
         if: ${{ env.HAS_GITLEAKS_LICENSE == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}