ci: address Copilot review feedback on secrets scanning [SVLS-8660]

- Fix .gitleaks.toml comment to reference correct `commits` key under [allowlist]
- Add `permissions: contents: read` to secrets-scan workflow job
- Enable `--redact` flag to prevent secret values appearing in CI logs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: litianningdatadog

.github/workflows/secrets-scan.yml

@@ -10,12 +10,17 @@ jobs:
   gitleaks:
     name: Secrets Scan
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Run gitleaks
         uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
+        with:
+          args: --redact
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

.gitleaks.toml

@@ -2,7 +2,7 @@ title = "datadog-lambda-extension gitleaks config"
 
 # This file configures gitleaks to suppress known false positives.
 # Only add entries here after confirming a finding is NOT a real secret.
-# If a real secret is found: rotate it immediately, then add the commit to [allowlist.commits].
+# If a real secret is found: rotate it immediately, then add the commit hash to the `commits` list under [allowlist] below.
 #
 # Maintenance workflow:
 #   1. gitleaks flags something on a PR