[WIP] Cleaning code-quality.yml and fix Gitleaks issue on CI

[tarun-etikala]

🔧 Fix: Enable Gitleaks Scanning on Fork PRs

Summary

Restructured CI workflows to support fork PR contributions while maintaining secure secret scanning with Gitleaks. Split the monolithic code-quality.yml into two separate workflows for better separation of concerns.

Problem

The previous workflow failed on fork PRs because:

• Fork PRs cannot access action secret (GITLEAKS_LICENSE)

Changes Made

Split Workflows

• linting.yml: Linting and formatting checks (no secrets required)

  • Ruff linting and formatting
  • Markdownlint validation

• security-scanning.yml: Secret detection (requires secrets)

  • Gitleaks secret scanning
  • Talisman validation

Security Scanning Improvements

• Uses pull_request_target to access secrets while scanning fork code
• Explicitly checks out PR head SHA (scans incoming changes, not base)
• Limited permissions following least-privilege principle
• Static analysis only (Gitleaks/Talisman don't execute code)

References

• GitHub Docs: pull_request_target
• Gitleaks Action
• Securing GitHub Actions

---

Type of Change:

• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves existing functionality)