name: "Trufflehog: check for exposed secrets"

on:
  pull_request:
  push:
    paths:
      - "**.nix"
      - ".github/workflows/check-leaks.yml"

jobs:
  deadnix:
    name: Run trufflehog
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: ${{ github.ref_name }}
          persist-credentials: false

      - name: TruffleHog scan
        uses: trufflesecurity/trufflehog@v3.88.35