DataHackIL · shaypal5 · Jun 17, 2026 · Jun 16, 2026 · Jun 16, 2026
diff --git a/.agent-plan.md b/.agent-plan.md
@@ -6,11 +6,14 @@
 
 ## Mainline Status
 
-- Last merged PR on main: `#223` (`FIX-DISCOVERY-RUNS-SCHEMA`; refs #150/#152/#156/#184/#186, closed on deploy) —
-  add the missing `discovery_runs.skipped_query_count` column whose absence was failing every
-  Supabase run-metadata write and blocking candidate persistence on daily-review runs; a guard test
-  now asserts every `DiscoveryRun` field maps to a column. Clears the schema break on the
-  `UNIFY-PR-06` go-live path. Prior: `#220` (`GUARD-PR-SECRET-SCAN`, closes #218) — the three-layer
+- Last merged PR on main: `#224` (`FIX-CI-GITLEAKS-STATE-JOBS`) — install gitleaks in the
+  `setup-denbust-state-job` composite action so the fail-closed `scripts/state-run.sh` secret scan
+  has its binary on the runner; without it every scheduled state-writing workflow would have failed
+  at persist on its first scheduled run. The last `UNIFY-PR-06` prerequisite. Prior: `#223`
+  (`FIX-DISCOVERY-RUNS-SCHEMA`; refs #150/#152/#156/#184/#186, closed on deploy) — add the missing
+  `discovery_runs.skipped_query_count` column whose absence was failing every Supabase run-metadata
+  write and blocking candidate persistence on daily-review runs; a guard test now asserts every
+  `DiscoveryRun` field maps to a column. Earlier: `#220` (`GUARD-PR-SECRET-SCAN`, closes #218) — the three-layer
   [gitleaks](https://github.com/gitleaks/gitleaks) secret-scan guard (the outer defense following
   the seed-time leak incident below): a shared `.gitleaks.toml`, a `pre-commit` pre-push hook, a
   fail-closed `scripts/state-run.sh` scan before each state push, and a Claude Code
@@ -360,6 +363,14 @@
   `supabase/migrations/20260616_discovery_runs_skipped_query_count.sql` plus a regression test and a
   guard test asserting every `DiscoveryRun` field maps to a `discovery_runs` column. Clears the
   schema break that would otherwise fail the `UNIFY-PR-06` go-live dispatch.
+- [done] `FIX-CI-GITLEAKS-STATE-JOBS` (#224): install gitleaks in the `setup-denbust-state-job` composite
+  action so the fail-closed `scripts/state-run.sh` secret scan has its binary on the runner. After
+  `GUARD-PR-SECRET-SCAN` (#220), state-run refuses to push when gitleaks is absent; only `ci-test.yml`
+  installed it, so all eight scheduled state-writing workflows (discover, daily/weekly state-run,
+  backfill-discover/scrape, monthly-report, backup, release) would have failed at persist on their
+  first scheduled run. Pinned to v8.30.1 to match `.gitleaks.toml`. (`state-repo-squash` uses
+  `state-squash.sh`, which does not scan, so it is unaffected.) Prerequisite for the `UNIFY-PR-06`
+  go-live dispatch.
 - [next] `UNIFY-PR-06` (operational, go-live): the state repo is **seeded** (key-scrubbed after the
   incident below) with the recovered core state from local `data/news_items` (27,568 candidates +
   queues/attempts/verdicts/budget/yield + backfill_batches/runs/metrics; excluded: prefilter models

diff --git a/.github/actions/setup-denbust-state-job/action.yml b/.github/actions/setup-denbust-state-job/action.yml
@@ -28,6 +28,17 @@ runs:
         python -m pip install --upgrade pip
         python -m pip install -e ".[dev]"
 
+    # Required by scripts/state-run.sh, which fails closed (refuses to push) if
+    # gitleaks is missing. Every state-writing job runs through state-run, so the
+    # binary must be present on the runner. Pinned to match .gitleaks.toml's rev.
+    - name: Install gitleaks
+      shell: bash
+      run: |
+        VERSION=8.30.1
+        curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \
+          | sudo tar -xz -C /usr/local/bin gitleaks
+        gitleaks version
+
     - name: Install Playwright Chromium
       if: ${{ inputs.install-playwright == 'true' }}
       shell: bash