# Scan the repository for committed secrets with gitleaks on every push and
# pull request. The job fails (and can be made a required check) if a secret
# is detected, so credentials never land in history.

name: gitleaks

on:
  push:
  pull_request:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          # Full history — gitleaks needs depth to scan a commit range.
          fetch-depth: 0

      - name: install gitleaks
        run: |
          curl -sSL -o gl.tar.gz \
            https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz
          tar xzf gl.tar.gz gitleaks
          chmod +x gitleaks
          ./gitleaks version

      - name: scan
        run: |
          ./gitleaks detect --source . --no-banner --redact --verbose