name: Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  workflow_dispatch:

jobs:
  gitleaks:
    name: Secret Scanning (gitleaks)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - name: Run Gitleaks
        uses: gitleaks/gitleaks-action@v2 # SECURITY(MEDIUM-007): TODO — pin to SHA
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}