name: gitleaks
on:
  pull_request: {}
  push:
    branches: [master, v3.dev]
permissions: read-all

env:
  ALLOWED_ENDPOINTS: >
    api.github.com:443
    github.com:443
    objects.githubusercontent.com:443

jobs:
  scan:
    name: gitleaks
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
      - name: Run gitleaks
        uses: gitleaks/gitleaks-action@83373cf2f8c4db6e24b41c1a9b086bb9619e9cd3 # v2.3.7
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}