From 2743a9d143ffe9a114b107918b70d1f46dda1e30 Mon Sep 17 00:00:00 2001
From: Jo <jo@thevoid.cafe>
Date: Sat, 31 May 2025 18:41:38 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=91=B7=20Add=20leakage=20check=20CI=20act?=
 =?UTF-8?q?ion?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/check-leaks.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 .github/workflows/check-leaks.yml

diff --git a/.github/workflows/check-leaks.yml b/.github/workflows/check-leaks.yml
new file mode 100644
index 0000000..1d466df
--- /dev/null
+++ b/.github/workflows/check-leaks.yml
@@ -0,0 +1,22 @@
+name: "Trufflehog: check for exposed secrets"
+
+on:
+  pull_request:
+  push:
+    paths:
+      - "**.nix"
+      - ".github/workflows/check-leaks.yml"
+
+jobs:
+  deadnix:
+    name: Run trufflehog
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref_name }}
+          persist-credentials: false
+
+      - name: TruffleHog scan
+        uses: trufflesecurity/trufflehog@v3.88