From e9c8290f9c9ffc686ace40b65715c0be6370163d Mon Sep 17 00:00:00 2001
From: user <user@rpios.local>
Date: Sun, 22 Feb 2026 07:43:36 +0100
Subject: [PATCH] fix: run gitleaks via podman on host instead of container
 directive

The gitleaks image lacks a shell compatible with the runner's
script injection. Use podman run with volume mount on the host
instead, matching the proven s5p pattern.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 9a79022..6e38267 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -42,14 +42,16 @@ jobs:
 
   secrets:
     runs-on: linux
-    container:
-      image: ghcr.io/gitleaks/gitleaks:latest
-      options: --entrypoint ""
     steps:
-      - name: Checkout
-        run: git clone --branch "${GITHUB_REF_NAME}" "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
       - name: Scan for secrets
-        run: gitleaks detect --source . -v
+        run: |
+          podman run --rm \
+            -v "$PWD:/scan:ro" \
+            ghcr.io/gitleaks/gitleaks:latest \
+            detect --source /scan -v
 
   build:
     runs-on: linux