---
name: GitLeaks check

on: # yamllint disable-line rule:truthy
  pull_request:
    types: [opened, edited, reopened, synchronize]

permissions: {}

jobs:
  build:
    name: GitLeaks check
    runs-on: ubuntu-22.04
    permissions:
      contents: read
      pull-requests: read
      packages: read
      statuses: write
    steps:
      - name: GitLeaks installation
        working-directory: /bin
        run: |
          set -e

          VERSION="v8.22.0"
          CHECKSUM="3f95fef7e361adafed2b1bb9c591ba3bc6b595b4f296b346257301b7bf04be15  gitleaks.tar.gz"

          wget -O "gitleaks.tar.gz" "https://github.com/gitleaks/gitleaks/releases/download/$VERSION/gitleaks_8.22.0_linux_arm64.tar.gz"
          echo "$CHECKSUM" | sha256sum --check

          tar xzf gitleaks.tar.gz
          chmod +x gitleaks
      - name: code checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          fetch-depth: 0
      - name: GitLeaks check
        run: gitleaks git && gitleaks dir