name: Gitleaks Secret Detection on: pull_request: branches: [ main ] workflow_dispatch: schedule: # Run secret scan daily at 3 AM UTC - cron: '0 3 * * *' # No concurrency group — intentionally omitted. # Previous attempt (#3554, reverted #3599) used cancel-in-progress which # killed in-progress PR runs before they produced useful results. # Future iteration could safely add concurrency for scheduled/push-only # triggers (where head_ref is empty and runs get unique groups). permissions: {} # Minimal top-level for OSSF Scorecard Token-Permissions jobs: gitleaks: runs-on: ubuntu-latest permissions: contents: read security-events: write actions: read steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - name: Checkout code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false fetch-depth: 0 # Fetch full history for comprehensive secret scanning - name: Run Gitleaks Secret Scanner uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e # v3.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_USERNAME: ${{ github.actor }} GITHUB_REPOSITORY: ${{ github.repository }} GITLEAKS_CONFIG: .gitleaks.toml GITLEAKS_BASELINE_PATH: .gitleaksignore