From e55ca48de81a014536b7bc40260bab59062f6b11 Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Sat, 20 Dec 2025 15:45:02 +0100
Subject: [PATCH] Reorganize code analysis workflow to run gitleaks scan before
 installing dependencies, ensuring more accurate results and maintaining a
 cleaner environment for subsequent analysis steps.

---
 .gitea/workflows/code-analysis.yml | 51 +++++++++++++++---------------
 1 file changed, 25 insertions(+), 26 deletions(-)

diff --git a/.gitea/workflows/code-analysis.yml b/.gitea/workflows/code-analysis.yml
index aef7aff..5c26f69 100644
--- a/.gitea/workflows/code-analysis.yml
+++ b/.gitea/workflows/code-analysis.yml
@@ -17,30 +17,6 @@ jobs:
           node -v
           npm -v
 
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Lint
-        run: npm run lint
-
-      - name: Unit tests
-        run: npm test
-
-      - name: Build
-        run: npm run build --if-present
-
-      - name: Semgrep (SAST)
-        run: semgrep --config p/default --error .
-
-      - name: npm audit (high+)
-        run: npm audit --audit-level=high || true
-
-      - name: OSV-Scanner (SCA)
-        run: |
-          curl -L -o osv-scanner https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64
-          chmod +x osv-scanner
-          ./osv-scanner --lockfile package-lock.json
-
       - name: gitleaks (Secrets Scanning)
         run: |
           # Try to get the latest release asset URL
@@ -69,7 +45,30 @@ jobs:
             exit 1
           fi
           chmod +x gitleaks
-          # Remove build artifacts and node_modules before scanning
-          rm -rf .next .output .nuxt node_modules 2>/dev/null || true
+          # Run gitleaks scan BEFORE installing dependencies to avoid false positives from node_modules
           ./gitleaks detect --source . --no-git --verbose --exit-code 1
           rm -f gitleaks.tar.gz
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint
+        run: npm run lint
+
+      - name: Unit tests
+        run: npm test
+
+      - name: Build
+        run: npm run build --if-present
+
+      - name: Semgrep (SAST)
+        run: semgrep --config p/default --error .
+
+      - name: npm audit (high+)
+        run: npm audit --audit-level=high || true
+
+      - name: OSV-Scanner (SCA)
+        run: |
+          curl -L -o osv-scanner https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64
+          chmod +x osv-scanner
+          ./osv-scanner --lockfile package-lock.json