fix(ci): resolve Validate and Secret Detection failures

[Jesssullivan]

Summary

Fixes three CI issues discovered in post-merge gap analysis:

1. OpenTofu format check failing

tofu fmt on 4 files with whitespace drift:

• tofu/modules/gitlab-runner/locals.tf
• tofu/stacks/arc-runners/civo.tfvars
• tofu/stacks/arc-runners/main.tf
• tofu/stacks/arc-runners/variables.tf

2. Gitleaks action requires paid license

gitleaks/gitleaks-action@v2 now requires a GITLEAKS_LICENSE secret.
Replaced with direct CLI install (gitleaks 8.21.2) + manual run against
.gitleaks.toml config.

3. Missing modules in validate matrix

longhorn and runner-cleanup modules were not in the CI validation
matrix. Added them (now 16/16 modules validated).

Pre-existing (not fixed here)

• Build Container Images: GHCR push permission_denied — failing since Feb 26, unrelated to our changes. Needs GHCR token/permissions investigation.

Test plan

• Validate workflow passes (tofu fmt + validate for all 16 modules and 4 stacks)
• Secret Detection workflow passes (gitleaks CLI + TruffleHog)
• Check PR status checks after push

[greptile-apps]

Greptile Summary

This PR fixes three CI failures: tofu fmt whitespace drift across four files, the gitleaks-action@v2 paid-license requirement (replaced with a direct CLI install), and two missing modules (longhorn, runner-cleanup) in the validate matrix. The four OpenTofu files are pure formatting changes with no functional impact; the validate matrix is now complete at 16/16 modules.

Key changes:

• secrets-scan.yml — swaps gitleaks/gitleaks-action@v2 for a pinned CLI install (v8.21.2) and a direct gitleaks detect invocation; the install step does not verify the downloaded binary's checksum, which is a notable gap for a security-critical tool
• validate.yml — adds longhorn and runner-cleanup to the module matrix, completes alphabetical ordering; the module job still lacks a tofu fmt -check step, leaving the same formatting drift undetectable in future PRs
• tofu/modules/gitlab-runner/locals.tf, tofu/stacks/arc-runners/*.tf/tfvars — tofu fmt whitespace normalization only, no semantic changes

Pre-existing concerns (not introduced here):

• trufflesecurity/trufflehog@main in secrets-scan.yml is pinned to a mutable branch ref rather than a commit SHA, which is a supply-chain risk worth addressing
• yq in validate.yml is fetched from releases/latest without version pinning or checksum verification

Confidence Score: 3/5

• Safe to merge for the Tofu formatting and matrix fixes; the gitleaks install step should have checksum verification added before this pattern is considered production-ready.
• All four Terraform/OpenTofu file changes are whitespace-only with zero functional impact. The validate matrix addition is straightforward and low-risk. The main concern is the absence of checksum verification when downloading and executing the gitleaks binary in CI — an integrity failure here would silently compromise the secret-scanning job that this PR is specifically fixing.
• secrets-scan.yml — the gitleaks binary install step needs checksum verification; validate.yml — consider adding tofu fmt -check to the module validation job for consistent enforcement.

Important Files Changed

Filename	Overview
.github/workflows/secrets-scan.yml	Replaces the paid gitleaks-action@v2 with a direct CLI install and run; the install step lacks checksum verification for the downloaded binary, which is a meaningful gap for a security-critical tool.
.github/workflows/validate.yml	Adds longhorn and runner-cleanup to the module matrix (completing 16/16 coverage) and alphabetically re-orders entries; however, the module job still lacks a tofu fmt -check step, leaving formatting drift undetectable in modules.
tofu/modules/gitlab-runner/locals.tf	Pure tofu fmt whitespace reformatting; the indentation change inside the jsonencode() call is cosmetic HCL source formatting and does not affect the produced JSON string value.
tofu/stacks/arc-runners/civo.tfvars	Whitespace-only alignment changes from tofu fmt; no functional impact.
tofu/stacks/arc-runners/main.tf	Whitespace-only alignment changes from tofu fmt on the extra_runners module block; no functional impact.
tofu/stacks/arc-runners/variables.tf	Whitespace-only alignment changes from tofu fmt on the extra_runner_sets object type; no functional impact.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant GL_INSTALL as Install gitleaks step
    participant GL_RUN as Run gitleaks step
    participant TH as TruffleHog Action

    GH->>GL_INSTALL: checkout (fetch-depth: 0)
    GL_INSTALL->>GL_INSTALL: curl github releases v8.21.2
    Note over GL_INSTALL: ⚠️ No checksum verification
    GL_INSTALL->>GL_INSTALL: tar xz → /usr/local/bin/gitleaks
    GL_INSTALL->>GL_RUN: binary available
    GL_RUN->>GL_RUN: gitleaks detect --source . --config .gitleaks.toml --verbose --exit-code 1
    GL_RUN-->>GH: exit 0 (clean) or exit 1 (leaks found)

    GH->>TH: checkout (fetch-depth: 0)
    TH->>TH: trufflesecurity/trufflehog@main (--only-verified)
    Note over TH: ⚠️ Mutable @main ref (pre-existing)
    TH-->>GH: exit 0 (clean) or exit 1 (secrets found)

Loading

Comments Outside Diff (1)

1. .github/workflows/validate.yml, line 56-60 (link)

   Module validation job is missing tofu fmt -check

   The validate-stacks job correctly runs tofu fmt -check -recursive before validating each stack, but the validate-tofu job for modules only runs tofu init + tofu validate — no format check. This means the exact whitespace drift that motivated this PR (e.g., tofu/modules/gitlab-runner/locals.tf) can silently recur in any module without failing CI.

   Adding a consistent format check to the module job would close this gap:

_{Reviews (1): Last reviewed commit: "fix(ci): fix gitleaks license requiremen..." | Re-trigger Greptile}

[greptile-apps]

No checksum verification for gitleaks binary

The binary is downloaded and piped directly into extraction without verifying its integrity against a published checksum. Gitleaks publishes a checksums.txt file with each release. Since this tool runs as your secret scanner with full access to the codebase and CI environment, a compromised or swapped binary would silently undermine the very security control you're adding.

A hardened install pattern downloads the tarball and checksums separately, then verifies before extracting:

      - name: Install gitleaks
        run: |
          GITLEAKS_VERSION=8.21.2
          cd /tmp
          curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
            -o gitleaks.tar.gz
          curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_checksums.txt" \
            -o checksums.txt
          sha256sum --check --ignore-missing checksums.txt
          tar xz -C /usr/local/bin gitleaks -f gitleaks.tar.gz