ci: install versioned trivy+gitleak

deploy/ansible/install-runner.yml

@@ -50,6 +50,40 @@
             state: present
             update_cache: true
 
+    # Security scanners used by the CI workflows. Pre-installing them (as root)
+    # means the workflow steps find them on PATH and skip their runtime install,
+    # which would otherwise fail writing to /usr/local/bin as the runner user.
+    - name: Check installed Trivy version
+      ansible.builtin.command: trivy --version
+      register: trivy_check
+      changed_when: false
+      failed_when: false
+
+    - name: Install Trivy {{ trivy_version }}
+      ansible.builtin.shell: |
+        set -o pipefail
+        curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
+          | sh -s -- -b /usr/local/bin v{{ trivy_version }}
+      args:
+        executable: /bin/bash
+      when: trivy_version not in (trivy_check.stdout | default(''))
+
+    - name: Check installed Gitleaks version
+      ansible.builtin.command: gitleaks version
+      register: gitleaks_check
+      changed_when: false
+      failed_when: false
+
+    - name: Install Gitleaks {{ gitleaks_version }}
+      ansible.builtin.unarchive:
+        src: "https://github.com/gitleaks/gitleaks/releases/download/v{{ gitleaks_version }}/gitleaks_{{ gitleaks_version }}_linux_x64.tar.gz"
+        dest: /usr/local/bin
+        remote_src: true
+        include:
+          - gitleaks
+        mode: "0755"
+      when: gitleaks_version not in (gitleaks_check.stdout | default(''))
+
     - name: Install runners for each project
       ansible.builtin.include_tasks: tasks/install_project.yml
       loop: "{{ runners }}"