[Code Analysis] Gitleaks Scan #1

	---
	# SPDX-FileCopyrightText: (C) 2025 Intel Corporation
	# SPDX-License-Identifier: Apache-2.0

	name: "[Code Analysis] Gitleaks Scan"
	run-name: "[Code Analysis] Gitleaks Scan"

	on:
	workflow_dispatch: {}
	pull_request:
	branches:
	- main
	- release-*
	types:
	- opened
	- synchronize
	- reopened
	push:
	branches:
	- main
	- release-*

	# Trigger workflow when enqueued to a merge group
	# (must be under 'on')
	merge_group:

	# Only run at most 1 workflow concurrently per PR or per branch to keep costs down
	concurrency:
	group: ${{ github.workflow }}-${{ github.event.pull_request.number \|\| github.ref }}
	cancel-in-progress: true

	permissions:
	contents: read # needed for actions/checkout

	jobs:
	secrets-gitleaks-scan:
	name: "Run Gitleaks Scan"
	permissions:
	contents: read
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	persist-credentials: false
	- name: Install gitleaks
	uses: open-edge-platform/orch-ci/.github/actions/bootstrap@8b0ae64836f0395b21ff9dd7d9438284e8e8beda
	with:
	bootstrap_tools: "gitleaks"
	- name: Clone CI repo
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	repository: open-edge-platform/orch-ci
	path: ci
	persist-credentials: false
	- name: Scan for secrets
	run: \|
	gitleaks dir . -v -c ci/.gitleaks.toml --baseline-path ci/gitleaks_baselines/gitleaks.json -r gitleaks.json
	- name: Upload Gitleaks Report
	if: always()
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: gitleaks-report
	path: gitleaks.json

Provide feedback