From d1b0ebb6b1f3f5b6261bbcfd2df72c9cc477a9b9 Mon Sep 17 00:00:00 2001
From: Michel Marques <marques.jm@icloud.com>
Date: Thu, 26 Mar 2026 11:35:39 +0100
Subject: [PATCH 1/2] [chore/secrets-scan-ci] ci: add gitleaks secret scanning
 on PRs and pushes

---
 .github/workflows/secrets-scan.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 .github/workflows/secrets-scan.yml

diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml
new file mode 100644
index 0000000..a3a17ba
--- /dev/null
+++ b/.github/workflows/secrets-scan.yml
@@ -0,0 +1,18 @@
+name: Secrets Scan
+
+on:
+  pull_request:
+  push:
+    branches: [develop, main]
+
+jobs:
+  gitleaks:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 5b549a1f85227735d73835bcd68239f20145331d Mon Sep 17 00:00:00 2001
From: Michel Marques <marques.jm@icloud.com>
Date: Thu, 26 Mar 2026 11:36:48 +0100
Subject: [PATCH 2/2] [chore/secrets-scan-ci] fix: add explicit permissions for
 GITHUB_TOKEN

---
 .github/workflows/secrets-scan.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml
index a3a17ba..20aab07 100644
--- a/.github/workflows/secrets-scan.yml
+++ b/.github/workflows/secrets-scan.yml
@@ -5,6 +5,10 @@ on:
   push:
     branches: [develop, main]
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   gitleaks:
     name: gitleaks