test: should reject

.forgejo/workflows/gitleaks.yml

@@ -1,40 +0,0 @@
-# .forgejo/workflows/gitleaks.yml
-#
-# Sulkta canonical gitleaks workflow. Drop a copy into every public repo at
-# `.forgejo/workflows/gitleaks.yml` after the Forgejo act_runner is registered
-# (task #295).
-#
-# Pairs with the pre-receive hook installed on every bare repo — that one is
-# the strict enforcement layer (rejects the push); this one provides the
-# per-PR red ✗ that branch-protection rules can require before merge.
-#
-# Layer 1 (this workflow): visible per-PR status, can be a required check.
-# Layer 2 (pre-receive hook): strict enforcement at the server.
-# Layer 3 (johnny5 cron sweep): nightly full-history sweep across all repos.
-
-name: gitleaks
-
-on:
-  push:
-  pull_request:
-
-jobs:
-  scan:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          # Full history — gitleaks needs depth to scan a commit range.
-          fetch-depth: 0
-
-      - name: install gitleaks
-        run: |
-          curl -sSL -o gl.tar.gz \
-            https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz
-          tar xzf gl.tar.gz gitleaks
-          chmod +x gitleaks
-          ./gitleaks version
-
-      - name: scan
-        run: |
-          ./gitleaks detect --source . --no-banner --redact --verbose

leak.txt

@@ -0,0 +1,2 @@
+ghp_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789ab
+slack-bot-xoxb-1234567890123-1234567890123-abcdefghijklmnopqrstuvwx