docs(spec): unify SPEC at v0.6 (two execution profiles) + parser acce… #77
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret scan | |
| # Source-of-truth secret detection. Runs on every PR and on pushes to main. | |
| # The local pre-commit hook (bin/install-git-hooks) is fast feedback; this | |
| # workflow is the gate that secrets cannot bypass via `git commit --no-verify`. | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| jobs: | |
| gitleaks: | |
| name: gitleaks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| # gitleaks needs full history to scan the diff range. fetch-depth: 0 | |
| # is the documented setup for the official action. | |
| fetch-depth: 0 | |
| - name: Run gitleaks | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Use the .gitleaks.toml at the repo root. | |
| GITLEAKS_CONFIG: .gitleaks.toml |