# .forgejo/workflows/gitleaks.yml # # Gitleaks CI workflow for secret scanning. Use it as a CI secret-scan step, e.g. at # `.forgejo/workflows/gitleaks.yml` after the Forgejo act_runner is registered # (after a CI runner is configured). # # Pairs with the server-side pre-receive hook — that one is # the strict enforcement layer (rejects the push); this one provides the # per-PR red ✗ that branch-protection rules can require before merge. # # Layer 1 (this workflow): visible per-PR status, can be a required check. # Layer 2 (pre-receive hook): strict enforcement at the server. # Layer 3 (scheduled cron sweep): nightly full-history sweep across all repos. name: gitleaks on: push: pull_request: jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: # Full history — gitleaks needs depth to scan a commit range. fetch-depth: 0 - name: install gitleaks run: | curl -sSL -o gl.tar.gz \ https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz tar xzf gl.tar.gz gitleaks chmod +x gitleaks ./gitleaks version - name: scan run: | ./gitleaks detect --source . --no-banner --redact --verbose