# DO NOT EDIT DIRECTLY.
# This file is auto-synchronized from HiromiShikata/repositories-management.
# Direct edits in downstream repositories will be overwritten by the next sync.
# Update the source file in HiromiShikata/repositories-management instead.

name: Secret Scan

on:
  pull_request:
    types:
      - opened
      - edited
      - reopened
      - synchronize

concurrency:
  group: secret-scan-${{ github.ref }}
  cancel-in-progress: true

jobs:
  secret-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
    steps:
      - uses: step-security/harden-runner@v2
        with:
          egress-policy: audit
      - name: Checkout code
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Download and verify gitleaks binary
        run: |
          GITLEAKS_VERSION="8.30.1"
          GITLEAKS_ARCHIVE="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/${GITLEAKS_ARCHIVE}" -o "${GITLEAKS_ARCHIVE}"
          echo "551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb  ${GITLEAKS_ARCHIVE}" | sha256sum --check
          tar -xzf "${GITLEAKS_ARCHIVE}" gitleaks
          chmod +x gitleaks
          ./gitleaks version

      - name: Run gitleaks on PR commits
        run: |
          ./gitleaks detect \
            --log-opts="${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}" \
            --config=.gitleaks.toml \
            --verbose \
            --redact