diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index 85e1b17eb..72631e699 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -9,11 +9,15 @@ on:
 jobs:
   gitleaks:
     runs-on: ubuntu-latest
+    env:
+      # Hoisted to job-level env because the `secrets` context is not
+      # available in step-level `if` expressions; `env` is.
+      GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@v2
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
+        if: ${{ env.GITLEAKS_LICENSE != '' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}