ci: add gitleaks workflow (Sulkta canonical)

2026-05-27 22:14:29 -07:00 · 2026-05-27 22:14:29 -07:00 · 08d0e8a702
commit 08d0e8a702
parent 10f7c9572c
1 changed files with 40 additions and 0 deletions
--- a/.forgejo/workflows/gitleaks.yml
+++ b/.forgejo/workflows/gitleaks.yml
@ -0,0 +1,40 @@
+# .forgejo/workflows/gitleaks.yml
+#
+# Sulkta canonical gitleaks workflow. Drop a copy into every public repo at
+# `.forgejo/workflows/gitleaks.yml` after the Forgejo act_runner is registered
+# (task #295).
+#
+# Pairs with the pre-receive hook installed on every bare repo — that one is
+# the strict enforcement layer (rejects the push); this one provides the
+# per-PR red ✗ that branch-protection rules can require before merge.
+#
+# Layer 1 (this workflow): visible per-PR status, can be a required check.
+# Layer 2 (pre-receive hook): strict enforcement at the server.
+# Layer 3 (johnny5 cron sweep): nightly full-history sweep across all repos.
+
+name: gitleaks
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # Full history — gitleaks needs depth to scan a commit range.
+          fetch-depth: 0
+
+      - name: install gitleaks
+        run: |
+          curl -sSL -o gl.tar.gz \
+            https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz
+          tar xzf gl.tar.gz gitleaks
+          chmod +x gitleaks
+          ./gitleaks version
+
+      - name: scan
+        run: |
+          ./gitleaks detect --source . --no-banner --redact --verbose