Issue 172b trufflehog (#176) #29

	name: Detect secrets leaks

	on:
	workflow_call:
	push:
	branches:
	- '**'

	jobs:
	detect-secret-leaks:
	runs-on: gh-runner
	permissions:
	contents: read
	id-token: write
	steps:
	- name: Checkout code
	uses: actions/checkout@v3

	# https://github.com/hashicorp/vault-action?tab=readme-ov-file#multiple-secrets
	# https://github.com/hashicorp/vault-action?tab=readme-ov-file#example-usage
	- name: Authenticate with Vault using GitHub OIDC and retrieve secrets
	uses: hashicorp/vault-action@v3.0.0
	with:
	url: https://vault.vault.svc.cluster.local:8200
	method: github
	tlsSkipVerify: true
	githubToken: ${{ secrets.VAULT_TOKEN }}
	secrets: \|
	kv/data/test * \| VAULTACTIONKEY_;

	- name: Install git-secrets
	run: \|
	sudo apt-get update
	sudo apt-get install -y git build-essential
	git clone https://github.com/awslabs/git-secrets.git
	cd git-secrets
	sudo make install

	- name: Add API keys to git-secrets
	run: \|
	set +H
	set -f
	for var in $(compgen -e VAULTACTIONKEY_); do
	value="${!var}"
	if [ -n "$value" ]; then
	git secrets --add --literal "$value" \|\| echo "git secrets failed for variable $var" >&2
	else
	echo "Skipping empty variable $var"
	fi
	done

	- name: Scan repository for secrets
	run: \|
	git secrets --scan -r

	- name: Remove git-secrets patterns
	run: \|
	git config --remove-section git-secrets \|\| true

	Trufflehog:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: Secret Scanning
	uses: trufflesecurity/trufflehog@main
	with:
	extra_args: --results=verified,unknown

Provide feedback