feat: Add Gitleaks configuration for secret scanning and update CI workflow to include Gitleaks license and custom config.

Arnel Jan Sarmiento · Arnel Jan Sarmiento · commit 0a30280d42af · 2026-04-11T16:46:25.000+08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -57,4 +57,7 @@ jobs:
           fetch-depth: 0
       - uses: gitleaks/gitleaks-action@v2
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+        with:
+          args: detect --source . --redact --no-git --config .gitleaks.toml
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,11 @@
+title = "Durianpy gitleaks configuration"
+
+# Keep this minimal: use Gitleaks' built-in rules and add only repo-specific allowlists.
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Allowlists for known non-secret patterns and generated artifacts in Durianpy infrastructure"
+
+# Avoid scanning common vendor/lock artifacts and build caches in commits.
+paths = []
