Skip to content

Commit fc4912a

Browse files
ci(security): retry gitleaks download to survive transient 5xx
The Install Gitleaks step piped curl directly into tar. A transient 504 from the GitHub release CDN truncated the stream and failed the security gate with exit 2, despite no actual secrets. Download to a file with curl --retry/--retry-all-errors first, then extract, so a flaky download recovers instead of blocking the PR.
1 parent ea554b5 commit fc4912a

1 file changed

Lines changed: 6 additions & 2 deletions

File tree

.github/workflows/security.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,8 +30,12 @@ jobs:
3030
run: |
3131
GITLEAKS_VERSION="8.21.2"
3232
mkdir -p "$HOME/.local/bin"
33-
curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
34-
| tar -xz -C "$HOME/.local/bin" gitleaks
33+
# Download to a file (not a pipe) with retries so a transient 5xx
34+
# from the release CDN doesn't fail the whole security gate.
35+
curl -sSfL --retry 5 --retry-all-errors --retry-delay 3 \
36+
-o /tmp/gitleaks.tar.gz \
37+
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
38+
tar -xz -C "$HOME/.local/bin" gitleaks < /tmp/gitleaks.tar.gz
3539
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
3640
3741
- name: Run Gitleaks

0 commit comments

Comments
 (0)