ci: add secret-scan (gitleaks) job for push-protection compliance

[don-petry]

Summary

• Adds the required secret-scan job to .github/workflows/ci.yml per Layer 3 of the push-protection standard
• Full-history checkout (fetch-depth: 0) — scans all commits, not just the PR diff
• --redact so leaked values are never written to workflow logs
• --exit-code 1 so the build fails on any finding
• Both actions pinned to commit SHAs per Action Pinning Policy

This satisfies the secret_scan_ci_job_present (error severity) compliance check.

What still requires human admin action

The security_and_analysis_unavailable warning persists because the compliance audit token lacks admin scope to read security_and_analysis settings. A repo/org admin needs to:

1. Ensure the audit token has the admin:repo_hook / admin scope on this repo
2. Verify these settings are enabled in GitHub Settings → Code security:
   • Secret scanning: enabled
   • Secret scanning push protection: enabled
   • Secret scanning AI detection: enabled (may require plan upgrade)
   • Secret scanning non-provider patterns: enabled (may require plan upgrade)
   • Dependabot security updates: enabled

Test plan

• CI runs secret-scan job on this PR
• gitleaks scans full history, finds no secrets
• Job passes (green)
• Weekly compliance audit shows secret_scan_ci_job_present resolved

Closes #95

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 54 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 14 minutes and 54 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cc9d5aeb-2fdf-48e1-bc92-4565835486a0

📥 Commits

Reviewing files that changed from the base of the PR and between f9d9937 and aa2cab6.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-95-20260419-1649

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

CODEOWNERS review requested. @don-petry — this PR adds the gitleaks job to satisfy the compliance check. Please review and merge when CI is green.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Adds a CI-layer secret scanning job to support push-protection compliance by running gitleaks in the main CI workflow.

Changes:

• Adds a new secret-scan job to .github/workflows/ci.yml.
• Uses full-history checkout (fetch-depth: 0) and runs gitleaks detect with --redact and --exit-code 1.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The comment references ci-standards.md#action-pinning-policy, but there’s no ci-standards.md (or section anchor) in this repo, so this guidance is currently a dead link. Please update the reference to the actual document/location where action pinning is defined (or remove the reference if it’s not documented here).

Suggested change

	# Pin to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).
	# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
	with:
	fetch-depth: 0
	- name: Run gitleaks
	# Pinned to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).
	# Pin to a commit SHA rather than a mutable tag.
	# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
	with:
	fetch-depth: 0
	- name: Run gitleaks
	# Pin to a commit SHA rather than a mutable tag.

[Copilot]

This comment also points to ci-standards.md#action-pinning-policy, which doesn’t exist in this repository. Update it to the correct in-repo documentation location so future maintainers can follow the pin-refresh instructions.

Suggested change

	# Pin to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).
	# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
	with:
	fetch-depth: 0
	- name: Run gitleaks
	# Pinned to SHA per Action Pinning Policy (ci-standards.md#action-pinning-policy).
	# Pin to SHA per Action Pinning Policy (coding-standards.md#action-pinning-policy).
	# Look up current SHA: gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha'
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
	with:
	fetch-depth: 0
	- name: Run gitleaks
	# Pinned to SHA per Action Pinning Policy (coding-standards.md#action-pinning-policy).

[github-actions]

Auto-rebase blocked — the base branch contains .github/workflows/ changes that require the workflows permission to merge into this branch, but the auto-rebase workflow's token does not have that permission.

Please rebase this branch manually:

git fetch origin
git rebase origin/main
git push --force-with-lease