Replace action/upload-artifact with a more secure alternative

Related: AAP-46204

Author: ssbarnea

.github/workflows/tox.yml

@@ -200,14 +200,16 @@ jobs:
         if: ${{ inputs.run_post }}
         run: ${{ inputs.run_post }}
 
-      - name: Archive logs and coverage data
-        uses: actions/upload-artifact@v4
+      - name: Archive logs and coverage data (secured)
+        uses: coactions/upload-artifact@fix/multi-folders
         with:
           name: logs-${{ matrix.name }}.zip
           include-hidden-files: true
           path: |
-            .tox/**/log/
+            .tox/py/pyvenv.cfg
             .tox/**/coverage.xml
+          # Temporary disable of tox log collection until its new release:
+          # .tox/**/log/
 
       - name: Upload test results to Codecov
         if: ${{ !cancelled() && hashFiles('junit.xml') != '' }}

.pre-commit-config.yaml

@@ -36,3 +36,11 @@ repos:
       - id: ansible-lint
         language_version: "3.12"
         args: [--fix]
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.27.0
+    hooks:
+      - id: gitleaks
+        name: Look for leaked decrets in all files, including build logs
+        entry: gitleaks dir -v --redact=100 --no-banner --max-archive-depth=2 .
+        pass_filenames: false
+        always_run: true

tox.ini

@@ -63,8 +63,6 @@ uv_seed = true
 [testenv:docs]
 description = Build docs
 extras = docs
-passenv =
-    *
 setenv =
   # see https://github.com/tox-dev/tox/issues/2092#issuecomment-2538729079
   # see https://github.com/Kozea/CairoSVG/issues/392#issuecomment-2538707712