From 6d47fff383b9ef969aa1e03d363f4f48a286df4f Mon Sep 17 00:00:00 2001
From: Kenichi Kamiya <kachick1@gmail.com>
Date: Sun, 14 Apr 2024 23:29:04 +0900
Subject: [PATCH] Integrate gitleaks to prevent adding secret

---
 .github/workflows/gitleaks.yml | 14 ++++++++++++++
 Makefile.toml                  |  2 ++
 flake.nix                      |  1 +
 3 files changed, 17 insertions(+)
 create mode 100644 .github/workflows/gitleaks.yml

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
new file mode 100644
index 00000000..decf3b90
--- /dev/null
+++ b/.github/workflows/gitleaks.yml
@@ -0,0 +1,14 @@
+name: 💧
+on: [pull_request, push, workflow_dispatch]
+jobs:
+  gitleaks:
+    timeout-minutes: 15
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@e6dab246340401bf53eec993b8f05aebe80ac636 # v2.3.4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/Makefile.toml b/Makefile.toml
index 7713b6ab..8f97423c 100644
--- a/Makefile.toml
+++ b/Makefile.toml
@@ -24,6 +24,7 @@ script = [
   "deno lint",
   "typos . .github .vscode",
   "actionlint",
+  "gitleaks detect",
 ]
 
 [tasks.test]
@@ -77,6 +78,7 @@ script = [
   "jq --version",
   "jnv --version",
   "pinact --version",
+  "gitleaks version",
 ]
 
 [tasks.check_no_git_diff]
diff --git a/flake.nix b/flake.nix
index 551d3418..4bbc8d11 100644
--- a/flake.nix
+++ b/flake.nix
@@ -43,6 +43,7 @@
               gh
               jq
               edge-pkgs.jnv
+              gitleaks
             ];
           };