name: secret-guardrails on: push: pull_request: jobs: artifact-secret-scan: runs-on: ubuntu-latest steps: - name: Check out repo uses: actions/checkout@v4 with: fetch-depth: 0 - name: Make scanner executable run: chmod +x scripts/scan-secret-bearing-artifacts.sh - name: Scan all tracked infra artifacts for embedded secrets run: scripts/scan-secret-bearing-artifacts.sh --tracked gitleaks: runs-on: ubuntu-latest steps: - name: Check out repo uses: actions/checkout@v4 with: fetch-depth: 0 - name: Run gitleaks uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}