ci: add gitleaks and trufflehog secret scanning workflow

Author: Dev-Beom

.github/workflows/secret-scan.yml

@@ -0,0 +1,43 @@
+name: Secret Scan
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+  schedule:
+    - cron: '0 4 * * 1'
+
+permissions:
+  contents: read
+
+jobs:
+  gitleaks:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_ENABLE_COMMENTS: 'false'
+
+  trufflehog:
+    name: trufflehog
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run trufflehog
+        uses: trufflesecurity/trufflehog@main
+        with:
+          extra_args: --results=verified,unknown

README.md

@@ -234,6 +234,13 @@ flutter test
 dart pub publish --dry-run
 ```
 
+## Security Scanning
+
+GitHub Actions secret scanning is enabled with both `gitleaks` and `trufflehog`.
+
+- Workflow: `.github/workflows/secret-scan.yml`
+- Runs on pull requests, pushes to `main`, weekly schedule, and manual dispatch
+
 ## License
 
 MIT