From 47a8501885b4e327c52b24974e9908dbc22462c2 Mon Sep 17 00:00:00 2001
From: sangnn <nnsang1510@gmail.com>
Date: Tue, 23 Jun 2026 01:27:55 +0000
Subject: [PATCH] ci: install versioned trivy+gitleak

---
 .gitea/workflows/pr-security-check.yml |  4 +++
 deploy/ansible/group_vars/all.yml      |  6 +++++
 deploy/ansible/install-runner.yml      | 34 ++++++++++++++++++++++++++
 3 files changed, 44 insertions(+)

diff --git a/.gitea/workflows/pr-security-check.yml b/.gitea/workflows/pr-security-check.yml
index 4a33585..52854b2 100644
--- a/.gitea/workflows/pr-security-check.yml
+++ b/.gitea/workflows/pr-security-check.yml
@@ -23,6 +23,10 @@ jobs:
 
       - name: Install Gitleaks
         run: |
+          if command -v gitleaks >/dev/null 2>&1; then
+            echo "gitleaks already installed: $(gitleaks version)"
+            exit 0
+          fi
           curl -sSfL \
             "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
             | tar xz gitleaks
diff --git a/deploy/ansible/group_vars/all.yml b/deploy/ansible/group_vars/all.yml
index a48fb9d..b9a2f26 100644
--- a/deploy/ansible/group_vars/all.yml
+++ b/deploy/ansible/group_vars/all.yml
@@ -18,6 +18,12 @@ act_runner_download_url: "https://gitea.com/gitea/runner/releases/download/v{{ a
 # fails with "Cannot find: node in PATH". Bump this to change versions.
 node_major_version: "26"
 
+# Security scanners pre-installed on the host so workflow steps use the local
+# binary instead of writing to /usr/local/bin as the runner user ("Permission
+# denied"). gitleaks_version must match GITLEAKS_VERSION in pr-security-check.yml.
+trivy_version: "0.71.2"
+gitleaks_version: "8.30.1"
+
 # Registration tokens come from env vars named by each project's `token_env`
 # (e.g. RUNNER_TOKEN_GATEHOUSE_API). Export them on the control node before running.
 # Mint from: Gitea repo → Settings → Actions → Runners → Create new runner token.
diff --git a/deploy/ansible/install-runner.yml b/deploy/ansible/install-runner.yml
index cf54852..651576c 100644
--- a/deploy/ansible/install-runner.yml
+++ b/deploy/ansible/install-runner.yml
@@ -50,6 +50,40 @@
             state: present
             update_cache: true
 
+    # Security scanners used by the CI workflows. Pre-installing them (as root)
+    # means the workflow steps find them on PATH and skip their runtime install,
+    # which would otherwise fail writing to /usr/local/bin as the runner user.
+    - name: Check installed Trivy version
+      ansible.builtin.command: trivy --version
+      register: trivy_check
+      changed_when: false
+      failed_when: false
+
+    - name: Install Trivy {{ trivy_version }}
+      ansible.builtin.shell: |
+        set -o pipefail
+        curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
+          | sh -s -- -b /usr/local/bin v{{ trivy_version }}
+      args:
+        executable: /bin/bash
+      when: trivy_version not in (trivy_check.stdout | default(''))
+
+    - name: Check installed Gitleaks version
+      ansible.builtin.command: gitleaks version
+      register: gitleaks_check
+      changed_when: false
+      failed_when: false
+
+    - name: Install Gitleaks {{ gitleaks_version }}
+      ansible.builtin.unarchive:
+        src: "https://github.com/gitleaks/gitleaks/releases/download/v{{ gitleaks_version }}/gitleaks_{{ gitleaks_version }}_linux_x64.tar.gz"
+        dest: /usr/local/bin
+        remote_src: true
+        include:
+          - gitleaks
+        mode: "0755"
+      when: gitleaks_version not in (gitleaks_check.stdout | default(''))
+
     - name: Install runners for each project
       ansible.builtin.include_tasks: tasks/install_project.yml
       loop: "{{ runners }}"