From 9e5ccbe8a348057eaed29a0b6d7ef43bc5100493 Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Sat, 20 Dec 2025 15:22:30 +0100
Subject: [PATCH] Refine gitleaks download and extraction process in code
 analysis workflow by implementing dynamic asset URL retrieval, enhanced error
 handling for invalid downloads, and improved extraction methods.

---
 .gitea/workflows/code-analysis.yml | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/.gitea/workflows/code-analysis.yml b/.gitea/workflows/code-analysis.yml
index 3ea5a8a..0f5943e 100644
--- a/.gitea/workflows/code-analysis.yml
+++ b/.gitea/workflows/code-analysis.yml
@@ -43,12 +43,31 @@ jobs:
 
       - name: gitleaks (Secrets Scanning)
         run: |
-          curl -sSL -L https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_linux_x64.tar.gz -o gitleaks.tar.gz
-          if [ ! -s gitleaks.tar.gz ] || file gitleaks.tar.gz | grep -q "HTML"; then
-            echo "Error: Downloaded file is not a valid archive"
+          # Try to get the latest release asset URL
+          ASSET_URL=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep -o '"browser_download_url": "[^"]*linux_x64[^"]*"' | head -1 | cut -d'"' -f4)
+          if [ -z "$ASSET_URL" ]; then
+            # Fallback: construct URL manually
+            VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
+            ASSET_URL="https://github.com/gitleaks/gitleaks/releases/download/${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz"
+          fi
+          echo "Downloading from: $ASSET_URL"
+          curl -sSL -L "$ASSET_URL" -o gitleaks.tar.gz
+          # Check if download was successful and file is not HTML
+          if [ ! -s gitleaks.tar.gz ] || head -1 gitleaks.tar.gz | grep -q "<!DOCTYPE html"; then
+            echo "Error: Downloaded file is not a valid archive (might be HTML page)"
+            head -5 gitleaks.tar.gz
+            exit 1
+          fi
+          # Try different extraction methods
+          if tar -tzf gitleaks.tar.gz >/dev/null 2>&1; then
+            tar -xzf gitleaks.tar.gz
+          elif tar -tf gitleaks.tar.gz >/dev/null 2>&1; then
+            tar -xf gitleaks.tar.gz
+          else
+            echo "Error: Cannot extract archive. File type:"
+            file gitleaks.tar.gz
             exit 1
           fi
-          tar -xzf gitleaks.tar.gz 2>/dev/null || tar -xf gitleaks.tar.gz || (echo "Failed to extract archive" && exit 1)
           chmod +x gitleaks
           ./gitleaks detect --source . --no-git --redact --exit-code 1
           rm -f gitleaks.tar.gz