name: Security Scan

on:
    push:
        branches: [main]
    pull_request:
        branches: [main]

env:
    GIT_SSL_NO_VERIFY: "true"

jobs:
    gitleaks:
        name: Secret Scanning (gitleaks)
        runs-on: [self-hosted, incus]
        steps:
            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
              with:
                  fetch-depth: 0

            - name: Install gitleaks
              run: |
                  wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz
                  tar xzf gitleaks_8.21.2_linux_x64.tar.gz
                  chmod +x gitleaks

            - name: Run gitleaks
              run: ./gitleaks detect --source . --no-banner -v --config .gitleaks.toml