From 659e6c2160015d4d94323dac9f3ffa5ae026a2a6 Mon Sep 17 00:00:00 2001
From: Shay Palachy <shaypal5@users.noreply.github.com>
Date: Tue, 16 Jun 2026 23:33:16 +0300
Subject: [PATCH 1/2] ci(state): install gitleaks in setup-denbust-state-job so
 fail-closed state-run can persist
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After GUARD-PR-SECRET-SCAN (#220), scripts/state-run.sh fails closed — it
refuses to commit/push when gitleaks is absent. gitleaks was installed only in
ci-test.yml, not in the composite action every state-writing workflow uses, so
the eight scheduled state jobs (discover, daily/weekly state-run, backfill-
discover/scrape, monthly-report, backup, release) would all have failed at the
persist step on their first scheduled run.

Add a pinned (v8.30.1, matching .gitleaks.toml) gitleaks install to the shared
setup-denbust-state-job composite action — one place covers all of them.
state-repo-squash uses state-squash.sh (no scan) and is unaffected.

Unblocks the UNIFY-PR-06 go-live dispatch.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .agent-plan.md                                     |  8 ++++++++
 .github/actions/setup-denbust-state-job/action.yml | 11 +++++++++++
 2 files changed, 19 insertions(+)

diff --git a/.agent-plan.md b/.agent-plan.md
index 11c33a4..732a99a 100644
--- a/.agent-plan.md
+++ b/.agent-plan.md
@@ -360,6 +360,14 @@
   `supabase/migrations/20260616_discovery_runs_skipped_query_count.sql` plus a regression test and a
   guard test asserting every `DiscoveryRun` field maps to a `discovery_runs` column. Clears the
   schema break that would otherwise fail the `UNIFY-PR-06` go-live dispatch.
+- [done] `FIX-CI-GITLEAKS-STATE-JOBS`: install gitleaks in the `setup-denbust-state-job` composite
+  action so the fail-closed `scripts/state-run.sh` secret scan has its binary on the runner. After
+  `GUARD-PR-SECRET-SCAN` (#220), state-run refuses to push when gitleaks is absent; only `ci-test.yml`
+  installed it, so all eight scheduled state-writing workflows (discover, daily/weekly state-run,
+  backfill-discover/scrape, monthly-report, backup, release) would have failed at persist on their
+  first scheduled run. Pinned to v8.30.1 to match `.gitleaks.toml`. (`state-repo-squash` uses
+  `state-squash.sh`, which does not scan, so it is unaffected.) Prerequisite for the `UNIFY-PR-06`
+  go-live dispatch.
 - [next] `UNIFY-PR-06` (operational, go-live): the state repo is **seeded** (key-scrubbed after the
   incident below) with the recovered core state from local `data/news_items` (27,568 candidates +
   queues/attempts/verdicts/budget/yield + backfill_batches/runs/metrics; excluded: prefilter models
diff --git a/.github/actions/setup-denbust-state-job/action.yml b/.github/actions/setup-denbust-state-job/action.yml
index 29f7dbd..c176bfe 100644
--- a/.github/actions/setup-denbust-state-job/action.yml
+++ b/.github/actions/setup-denbust-state-job/action.yml
@@ -28,6 +28,17 @@ runs:
         python -m pip install --upgrade pip
         python -m pip install -e ".[dev]"
 
+    # Required by scripts/state-run.sh, which fails closed (refuses to push) if
+    # gitleaks is missing. Every state-writing job runs through state-run, so the
+    # binary must be present on the runner. Pinned to match .gitleaks.toml's rev.
+    - name: Install gitleaks
+      shell: bash
+      run: |
+        VERSION=8.30.1
+        curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \
+          | sudo tar -xz -C /usr/local/bin gitleaks
+        gitleaks version
+
     - name: Install Playwright Chromium
       if: ${{ inputs.install-playwright == 'true' }}
       shell: bash

From 2e4362a23d9ad8e14793fa8faf881f0c53e50a2d Mon Sep 17 00:00:00 2001
From: Shay Palachy <shaypal5@users.noreply.github.com>
Date: Tue, 16 Jun 2026 23:35:10 +0300
Subject: [PATCH 2/2] docs(plan): record PR #224 for the state-job gitleaks
 install

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .agent-plan.md | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/.agent-plan.md b/.agent-plan.md
index 732a99a..7f0b346 100644
--- a/.agent-plan.md
+++ b/.agent-plan.md
@@ -6,11 +6,14 @@
 
 ## Mainline Status
 
-- Last merged PR on main: `#223` (`FIX-DISCOVERY-RUNS-SCHEMA`; refs #150/#152/#156/#184/#186, closed on deploy) —
-  add the missing `discovery_runs.skipped_query_count` column whose absence was failing every
-  Supabase run-metadata write and blocking candidate persistence on daily-review runs; a guard test
-  now asserts every `DiscoveryRun` field maps to a column. Clears the schema break on the
-  `UNIFY-PR-06` go-live path. Prior: `#220` (`GUARD-PR-SECRET-SCAN`, closes #218) — the three-layer
+- Last merged PR on main: `#224` (`FIX-CI-GITLEAKS-STATE-JOBS`) — install gitleaks in the
+  `setup-denbust-state-job` composite action so the fail-closed `scripts/state-run.sh` secret scan
+  has its binary on the runner; without it every scheduled state-writing workflow would have failed
+  at persist on its first scheduled run. The last `UNIFY-PR-06` prerequisite. Prior: `#223`
+  (`FIX-DISCOVERY-RUNS-SCHEMA`; refs #150/#152/#156/#184/#186, closed on deploy) — add the missing
+  `discovery_runs.skipped_query_count` column whose absence was failing every Supabase run-metadata
+  write and blocking candidate persistence on daily-review runs; a guard test now asserts every
+  `DiscoveryRun` field maps to a column. Earlier: `#220` (`GUARD-PR-SECRET-SCAN`, closes #218) — the three-layer
   [gitleaks](https://github.com/gitleaks/gitleaks) secret-scan guard (the outer defense following
   the seed-time leak incident below): a shared `.gitleaks.toml`, a `pre-commit` pre-push hook, a
   fail-closed `scripts/state-run.sh` scan before each state push, and a Claude Code
@@ -360,7 +363,7 @@
   `supabase/migrations/20260616_discovery_runs_skipped_query_count.sql` plus a regression test and a
   guard test asserting every `DiscoveryRun` field maps to a `discovery_runs` column. Clears the
   schema break that would otherwise fail the `UNIFY-PR-06` go-live dispatch.
-- [done] `FIX-CI-GITLEAKS-STATE-JOBS`: install gitleaks in the `setup-denbust-state-job` composite
+- [done] `FIX-CI-GITLEAKS-STATE-JOBS` (#224): install gitleaks in the `setup-denbust-state-job` composite
   action so the fail-closed `scripts/state-run.sh` secret scan has its binary on the runner. After
   `GUARD-PR-SECRET-SCAN` (#220), state-run refuses to push when gitleaks is absent; only `ci-test.yml`
   installed it, so all eight scheduled state-writing workflows (discover, daily/weekly state-run,