From c0c8d06ff3ab34a28e4637b8d3d205bb0d20e324 Mon Sep 17 00:00:00 2001
From: kayos <kayos@sulkta.com>
Date: Wed, 27 May 2026 22:14:56 -0700
Subject: [PATCH] ci: add gitleaks workflow (Sulkta canonical)

---
 .forgejo/workflows/gitleaks.yml | 40 +++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 .forgejo/workflows/gitleaks.yml

diff --git a/.forgejo/workflows/gitleaks.yml b/.forgejo/workflows/gitleaks.yml
new file mode 100644
index 0000000..10d7847
--- /dev/null
+++ b/.forgejo/workflows/gitleaks.yml
@@ -0,0 +1,40 @@
+# .forgejo/workflows/gitleaks.yml
+#
+# Sulkta canonical gitleaks workflow. Drop a copy into every public repo at
+# `.forgejo/workflows/gitleaks.yml` after the Forgejo act_runner is registered
+# (task #295).
+#
+# Pairs with the pre-receive hook installed on every bare repo — that one is
+# the strict enforcement layer (rejects the push); this one provides the
+# per-PR red ✗ that branch-protection rules can require before merge.
+#
+# Layer 1 (this workflow): visible per-PR status, can be a required check.
+# Layer 2 (pre-receive hook): strict enforcement at the server.
+# Layer 3 (johnny5 cron sweep): nightly full-history sweep across all repos.
+
+name: gitleaks
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # Full history — gitleaks needs depth to scan a commit range.
+          fetch-depth: 0
+
+      - name: install gitleaks
+        run: |
+          curl -sSL -o gl.tar.gz \
+            https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz
+          tar xzf gl.tar.gz gitleaks
+          chmod +x gitleaks
+          ./gitleaks version
+
+      - name: scan
+        run: |
+          ./gitleaks detect --source . --no-banner --redact --verbose