Update ci-devsecops.yml

Author: PrimeBuild-pc

.github/workflows/ci-devsecops.yml

@@ -30,7 +30,31 @@ jobs:
       - name: Dependency Audit
         run: dotnet list "ThreadPilot.csproj" package --vulnerable --include-transitive
 
-      - name: Secret Scan
-        uses: gitleaks/gitleaks-action@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Secret Scan (Gitleaks)
+        shell: pwsh
+        run: |
+          $ErrorActionPreference = "Stop"
+
+          $version = "8.24.3"
+          $baseUrl = "https://github.com/gitleaks/gitleaks/releases/download/v$version"
+          $zipAsset = "gitleaks_${version}_windows_x64.zip"
+          $tarAsset = "gitleaks_${version}_windows_x64.tar.gz"
+
+          Write-Host "Installing Gitleaks v$version"
+
+          try {
+            Invoke-WebRequest -Uri "$baseUrl/$zipAsset" -OutFile "gitleaks.zip"
+            Expand-Archive -Path "gitleaks.zip" -DestinationPath ".\\gitleaks-bin" -Force
+          }
+          catch {
+            Write-Host "ZIP download failed, trying tar.gz fallback"
+            Invoke-WebRequest -Uri "$baseUrl/$tarAsset" -OutFile "gitleaks.tar.gz"
+            New-Item -ItemType Directory -Force -Path ".\\gitleaks-bin" | Out-Null
+            tar -xzf "gitleaks.tar.gz" -C ".\\gitleaks-bin"
+          }
+
+          $gitleaksExe = Resolve-Path ".\\gitleaks-bin\\gitleaks.exe"
+          & $gitleaksExe version
+
+          # Scan working tree for hardcoded secrets.
+          & $gitleaksExe detect --source "." --redact --verbose