geckon01/local-deep-research
1
0
Fork 0
mirror of https://github.com/LearningCircuit/local-deep-research.git synced 2026-06-15 19:46:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ba0912056c5b78bf2c8a1fb15eef202d72fec401
local-deep-research/.github/workflows/gitleaks.yml
dependabot[bot] 56290b15c0 chore(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 (#3811) 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.19.0 to 2.19.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](8d3c67de8e...a5ad31d6a1)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-06 08:01:44 +02:00

47 lines
1.5 KiB
YAML
Raw Blame History

name: Gitleaks Secret Detection
on:
pull_request:
branches: [ main, dev ]
workflow_dispatch:
schedule:
# Run secret scan daily at 3 AM UTC
- cron: '0 3 * * *'
# No concurrency group — intentionally omitted.
# Previous attempt (#3554, reverted #3599) used cancel-in-progress which
# killed in-progress PR runs before they produced useful results.
# Future iteration could safely add concurrency for scheduled/push-only
# triggers (where head_ref is empty and runs get unique groups).
permissions: {} # Minimal top-level for OSSF Scorecard Token-Permissions
jobs:
gitleaks:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
fetch-depth: 0 # Fetch full history for comprehensive secret scanning
- name: Run Gitleaks Secret Scanner
uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_USERNAME: ${{ github.actor }}
GITHUB_REPOSITORY: ${{ github.repository }}
GITLEAKS_CONFIG: .gitleaks.toml
GITLEAKS_BASELINE_PATH: .gitleaksignore
Reference in New Issue View Git Blame Copy Permalink