# Secret scanning
#
# Purpose: stop credentials (API keys, tokens, passwords, private keys) from
# ever living in the Git history. Odysseus deliberately keeps real secrets in
# files that are gitignored (.env, data/), but a slip in a future commit -- or a
# malicious pull request that sneaks one in -- would otherwise go unnoticed.
# This job reads the repository and the full commit history and fails if it
# finds anything that looks like a secret.
#
# It runs the official gitleaks BINARY directly (pinned to an exact version and
# verified against the project's published SHA-256 checksum) rather than the
# gitleaks GitHub Action, because the Action asks for a paid license on
# organization-owned repos. The binary is free and behaves identically.

name: Secret scan

on:
  pull_request:
  push:
    branches: [main]
  workflow_dispatch:

# Start with zero permissions; the single job opts back in to read-only.
permissions: {}

concurrency:
  group: secret-scan-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  gitleaks:
    name: gitleaks
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
        with:
          # Full history so a secret committed in an earlier commit (and later
          # deleted) is still caught -- deletion does not remove it from Git.
          fetch-depth: 0
          persist-credentials: false

      # Pinned version + checksum so a tampered release binary cannot run here.
      # Bump VERSION/SHA256 together; the checksum comes from the matching
      # gitleaks_<version>_checksums.txt on the GitHub release.
      - name: Run gitleaks (pinned, checksum-verified)
        env:
          GITLEAKS_VERSION: 8.30.1
          GITLEAKS_SHA256: 551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb
        run: |
          set -euo pipefail
          TARBALL="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
          curl -fsSL -o "${TARBALL}" \
            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/${TARBALL}"
          echo "${GITLEAKS_SHA256}  ${TARBALL}" | sha256sum -c -
          tar -xzf "${TARBALL}" gitleaks
          # Scan the whole history. Findings print to the log and fail the job.
          ./gitleaks git --no-banner --redact --verbose .