ci: add gitleaks secret scan

Author: rexleimo

.github/workflows/ci.yml

@@ -62,6 +62,21 @@ jobs:
       - name: Format check
         run: cargo fmt --all --check
 
+  secrets:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Scan for secrets
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_ENABLE_COMMENTS: "false"
+
   test:
     name: cargo test (${{ matrix.os }})
     runs-on: ${{ matrix.os }}

AGENTS.md

@@ -45,6 +45,12 @@ Docs deps are pinned in `requirements-docs.txt`. Recommended local setup:
 - `make docs-venv` (creates `.venv-docs/` and installs deps)
 - `make docs`
 
+## Secrets scanning (CI)
+
+CI runs `gitleaks` on PRs/pushes to catch accidentally committed secrets.
+
+- Optional local check: `make secrets-check` (requires `gitleaks` installed)
+
 ## Release preflight (maintainers)
 
 - `loopforge release check --tag vX.Y.Z`

Makefile

@@ -1,4 +1,4 @@
-.PHONY: help fmt fmt-check test docs docs-venv check
+.PHONY: help fmt fmt-check test docs docs-venv secrets-check check
 
 help:
 	@echo "LoopForge (meos) common targets:"
@@ -7,6 +7,7 @@ help:
 	@echo "  make test        - cargo test (workspace, locked)"
 	@echo "  make docs        - mkdocs build --strict (uses .venv-docs if present)"
 	@echo "  make docs-venv   - create .venv-docs and install docs deps"
+	@echo "  make secrets-check - run gitleaks (if installed)"
 	@echo "  make check       - fmt-check + test + docs"
 
 fmt:
@@ -29,4 +30,11 @@ docs-venv:
 	python3 -m venv .venv-docs
 	.venv-docs/bin/pip install -r requirements-docs.txt
 
+secrets-check:
+	@command -v gitleaks >/dev/null 2>&1 || { \
+		echo "gitleaks is not installed (CI runs it automatically). Install gitleaks, then re-run: make secrets-check"; \
+		exit 1; \
+	}
+	gitleaks detect --source . --no-git
+
 check: fmt-check test docs