---
name: GitLeaks check

on: # yamllint disable-line rule:truthy
  pull_request:
    types: [opened, edited, reopened, synchronize]

permissions: {}

jobs:
  build:
    name: GitLeaks check
    runs-on: ubuntu-22.04
    permissions:
      contents: read
      pull-requests: read
      packages: read
      statuses: write
    steps:
      - name: GitLeaks installation
        working-directory: /bin
        run: |
          set -e

          VERSION="8.22.0"

          ARCH="$(uname -m)"
          if [ "$ARCH" = "x86_64" ] || [ "$ARCH" = "amd64" ]; then
            TARBALL="gitleaks_${VERSION}_linux_x64.tar.gz"
            CHECKSUM="ad66410e1e0bf262f864b6837b09cfa585f6b5816164023ee64847d3f7415eed  gitleaks.tar.gz"
          elif [ "$ARCH" = "aarch64" ] || [ "$ARCH" = "arm64" ]; then
            TARBALL="gitleaks_${VERSION}_linux_arm64.tar.gz"
            CHECKSUM="3f95fef7e361adafed2b1bb9c591ba3bc6b595b4f296b346257301b7bf04be15  gitleaks.tar.gz"
          else
            echo "Unsupported architecture: $ARCH" >&2
            exit 1
          fi

          wget -O "gitleaks.tar.gz" "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/${TARBALL}"
          echo "$CHECKSUM" | sha256sum --check

          tar xzf gitleaks.tar.gz
          chmod +x gitleaks
      - name: code checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          fetch-depth: 0
      - name: GitLeaks check
        run: gitleaks git && gitleaks dir