👷 Add leakage check CI action

2025-09-09 12:20:04 +00:00 · 2025-05-31 18:41:38 +02:00 · 2025-05-31 18:41:38 +02:00 · 2743a9d143
commit 2743a9d143
parent 914537921b
1 changed files with 22 additions and 0 deletions
--- a/.github/workflows/check-leaks.yml
+++ b/.github/workflows/check-leaks.yml
@ -0,0 +1,22 @@
+name: "Trufflehog: check for exposed secrets"
+
+on:
+  pull_request:
+  push:
+    paths:
+      - "**.nix"
+      - ".github/workflows/check-leaks.yml"
+
+jobs:
+  deadnix:
+    name: Run trufflehog
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref_name }}
+          persist-credentials: false
+
+      - name: TruffleHog scan
+        uses: trufflesecurity/trufflehog@v3.88