ci: switch gitleaks-action to gitleaks CLI

The marketplace action calls /pulls/<n>/commits which fails on
Dependabot PRs (read-only GITHUB_TOKEN, 403 'Resource not accessible
by integration'). Running the CLI on the checked-out tree avoids the
GitHub API entirely and works for push, normal PRs, and Dependabot PRs.

SARIF output uploaded to the Security tab for triage.

Author: qfiber

.github/workflows/ci.yml

@@ -89,10 +89,28 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: gitleaks
-        uses: gitleaks/gitleaks-action@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install gitleaks
+        run: |
+          curl -fsSL -o /tmp/gitleaks.tar.gz \
+            https://github.com/gitleaks/gitleaks/releases/download/v8.24.3/gitleaks_8.24.3_linux_x64.tar.gz
+          tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
+          sudo mv /tmp/gitleaks /usr/local/bin/gitleaks
+          gitleaks version
+      - name: Scan repo (full history)
+        run: |
+          gitleaks detect \
+            --source=. \
+            --redact \
+            --no-banner \
+            --exit-code=1 \
+            --report-format=sarif \
+            --report-path=gitleaks.sarif
+      - name: Upload SARIF (visible in Security tab)
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: gitleaks.sarif
+        continue-on-error: true
 
   markdown-links:
     name: markdown-link-check (non-blocking)