name: "Trufflehog: check for exposed secrets"

on:
  pull_request:
  push:
    paths:
      - "**.nix"
      - ".github/workflows/check-leaks.yml"

permissions:
  contents: read
  id-token: write
  issues: write
  pull-requests: write

jobs:
  deadnix:
    name: Run trufflehog
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: ${{ github.ref_name }}
          fetch-depth: 0

      - id: trufflehog
        name: TruffleHog scan
        uses: trufflesecurity/trufflehog@main
        continue-on-error: true
        with:
          path: ./
          base: "${{ github.event.repository.default_branch }}"
          extra_args: --debug --only-verified

      - name: Scan Results Status
        if: steps.trufflehog.outcome == 'failure'
        run: exit 1