fix: run gitleaks via container instead of broken binary download

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitea/workflows/ci.yaml

@@ -23,9 +23,10 @@ jobs:
         with:
           fetch-depth: 0
       - run: |
-          curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.0_linux_x64.tar.gz \
-            | tar xz -C /usr/local/bin gitleaks
-      - run: gitleaks detect --source . -v
+          docker run --rm \
+            -v "$PWD:/scan:ro" \
+            ghcr.io/gitleaks/gitleaks:latest \
+            detect --source /scan -v
 
   build:
     needs: [test, secrets]