fix: disable gitleaks PR comments and revert trivy to v0.33.1

samuelho-dev · claude · samuelho-dev · commit cb7baf1ddb91 · 2026-03-24T15:33:08.000-07:00
- gitleaks: Disable PR comments (GITLEAKS_ENABLE_COMMENTS=false) to
  avoid 'Resource not accessible by integration' when callers don't
  grant pull-requests:write. Also remove invalid 'args' input (v2.x
  node action doesn't accept args, uses env vars instead).
- trivy: Revert to v0.33.1 — the v0.35.0 action has incompatible
  argument passing that prevents SARIF file generation with v0.65.0
  binary. v0.33.1 bundles a working trivy version natively.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/gitleaks-scan.yml b/.github/workflows/gitleaks-scan.yml
@@ -73,16 +73,8 @@ jobs:
           GITLEAKS_CONFIG: ${{ inputs.config-path }}
           GITLEAKS_BASELINE: ${{ inputs.baseline-path }}
           GITLEAKS_LOG_LEVEL: ${{ inputs.log-level }}
-        with:
-          args: >
-            --source=${{ inputs.scan-path }}
-            --report-format=${{ inputs.format }}
-            --report-path=gitleaks-results.${{ inputs.format }}
-            --log-level=${{ inputs.log-level }}
-            --redact
-            ${{ inputs.config-path != '' && format('--config={0}', inputs.config-path) || '' }}
-            ${{ inputs.baseline-path != '' && format('--baseline-path={0}', inputs.baseline-path) || '' }}
-            ${{ inputs.fail-on-findings == false && '--no-fail' || '' }}
+          GITLEAKS_ENABLE_COMMENTS: false
+          GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false
 
       - name: Count findings
         id: count
diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml
@@ -76,7 +76,7 @@ jobs:
 
       - name: Run Trivy scanner
         id: scan
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
         with:
           scan-type: ${{ inputs.scan-type }}
           scan-ref: ${{ inputs.scan-ref }}
@@ -88,7 +88,6 @@ jobs:
           skip-dirs: ${{ inputs.skip-dirs }}
           timeout: ${{ inputs.timeout }}
           trivyignores: '.trivyignore'
-          version: 'v0.65.0'
 
       - name: Count findings
         id: count
