.github/workflows/trufflehog.yml

---
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.

name: TruffleHog
on:
  workflow_dispatch:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

# Declare default permissions as read only.
permissions: read-all

jobs:
  trufflehog_job:
    runs-on: ubuntu-latest
    name: Scan for secrets
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.cloudflare.com:443
            ghcr.io:443
            github.com:443
            gitlab.com:443
            pkg-containers.githubusercontent.com:443

      - name: Checkout Source
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - name: Check secrets with TruffleHog OSS
        uses: trufflesecurity/trufflehog@b715613cb3156d6169b47b3592e35057bd0031bd # v3.83.6
        with:
          path: ./
          head: HEAD
          extra_args: --only-verified