From 90f9cf1dc234adc24ce14a2394deaecf7fd7023d Mon Sep 17 00:00:00 2001
From: Cobb Hayes <cobb@sulkta.com>
Date: Wed, 27 May 2026 20:31:34 -0700
Subject: [PATCH 1/2] test: should reject

---
 leak.txt | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 leak.txt

diff --git a/leak.txt b/leak.txt
new file mode 100644
index 0000000..5bb484f
--- /dev/null
+++ b/leak.txt
@@ -0,0 +1,2 @@
+ghp_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789ab
+slack-bot-xoxb-1234567890123-1234567890123-abcdefghijklmnopqrstuvwx

From 08d0e8a7027b2a99a2d97b4c9c68e4bc96988f0a Mon Sep 17 00:00:00 2001
From: kayos <kayos@sulkta.com>
Date: Wed, 27 May 2026 22:14:29 -0700
Subject: [PATCH 2/2] ci: add gitleaks workflow (Sulkta canonical)

---
 .forgejo/workflows/gitleaks.yml | 40 +++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 .forgejo/workflows/gitleaks.yml

diff --git a/.forgejo/workflows/gitleaks.yml b/.forgejo/workflows/gitleaks.yml
new file mode 100644
index 0000000..10d7847
--- /dev/null
+++ b/.forgejo/workflows/gitleaks.yml
@@ -0,0 +1,40 @@
+# .forgejo/workflows/gitleaks.yml
+#
+# Sulkta canonical gitleaks workflow. Drop a copy into every public repo at
+# `.forgejo/workflows/gitleaks.yml` after the Forgejo act_runner is registered
+# (task #295).
+#
+# Pairs with the pre-receive hook installed on every bare repo — that one is
+# the strict enforcement layer (rejects the push); this one provides the
+# per-PR red ✗ that branch-protection rules can require before merge.
+#
+# Layer 1 (this workflow): visible per-PR status, can be a required check.
+# Layer 2 (pre-receive hook): strict enforcement at the server.
+# Layer 3 (johnny5 cron sweep): nightly full-history sweep across all repos.
+
+name: gitleaks
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # Full history — gitleaks needs depth to scan a commit range.
+          fetch-depth: 0
+
+      - name: install gitleaks
+        run: |
+          curl -sSL -o gl.tar.gz \
+            https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz
+          tar xzf gl.tar.gz gitleaks
+          chmod +x gitleaks
+          ./gitleaks version
+
+      - name: scan
+        run: |
+          ./gitleaks detect --source . --no-banner --redact --verbose