security.yaml

---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Security

on:
  pull_request:
    branches:
      - main

permissions:
  contents: read
  pull-requests: write

jobs:
  secret-scan:
    name: Run TruffleHog Secret Scan
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          fetch-depth: 0

      - name: Run TruffleHog Secret Scanning
        uses: trufflesecurity/trufflehog@ddc015e5ed99942b2253d8ea16a0586a01ef2ab1 # v3.88.0
        with:
          path: ./
          base: ${{ github.event.repository.default_branch }}

      - name: Post results if secrets found
        if: failure() # If the previous step fails (i.e., secrets found)
        run: echo "❌ Secrets detected! Please review the findings and remove any secrets before merging."