name: Secret Scanning (Gitleaks)

on:
  push:
    branches: ['**']
  pull_request:
    branches: [main]
  workflow_dispatch:

permissions:
  contents: read

jobs:
  scan:
    name: Scan for secrets
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Full history for accurate scanning

      - name: Install Gitleaks
        run: |
          curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz | tar -xz
          sudo mv gitleaks /usr/local/bin/

      - name: Run Gitleaks
        run: gitleaks detect --source . --verbose