ci: fix gitleaks (first push) + desabilitar CodeQL em repo private

.github/workflows/ci.yml

@@ -47,22 +47,27 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Run gitleaks
-        uses: gitleaks/gitleaks-action@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install gitleaks CLI
+        run: |
+          GL_VERSION=8.24.3
+          curl -sSL -o /tmp/gitleaks.tar.gz \
+            "https://github.com/zricethezav/gitleaks/releases/download/v${GL_VERSION}/gitleaks_${GL_VERSION}_linux_x64.tar.gz"
+          tar -xzf /tmp/gitleaks.tar.gz -C /tmp
+          sudo mv /tmp/gitleaks /usr/local/bin/gitleaks
+      - name: Scan full repository
+        run: gitleaks detect --source . --redact --verbose --exit-code 1
 
-  codeql:
-    name: CodeQL
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-    steps:
-      - uses: actions/checkout@v4
-      - uses: github/codeql-action/init@v3
-        with:
-          languages: javascript, python
-      - uses: github/codeql-action/analyze@v3
+  # CodeQL: desabilitado em repo private sem GitHub Advanced Security addon.
+  # Reativar quando repo tornar-se público ou GHAS for contratado.
+  # codeql:
+  #   name: CodeQL
+  #   runs-on: ubuntu-latest
+  #   permissions: { security-events: write }
+  #   steps:
+  #     - uses: actions/checkout@v4
+  #     - uses: github/codeql-action/init@v3
+  #       with: { languages: javascript, python }
+  #     - uses: github/codeql-action/analyze@v3
 
   bench:
     name: Benchmark (informational)