From 1bee79b7f46447503fb67f96e832c186c44053a0 Mon Sep 17 00:00:00 2001
From: Alex Wegener <github.com@m.9aw.de>
Date: Sun, 26 Apr 2026 21:09:13 +0200
Subject: [PATCH 1/2] ci: add gitleaks secret-scan workflow

Adds canonical Gitleaks secret-scan CI matching the de-facto Yesterday-AI standard (template byte-identical with agentic-foundation, agent-services, cloud, openclaw). Triggers on PR + push to main; scans only the diff (PR commit range or push before..sha), not full history.

No per-repo customization on first pass; add .gitleaksignore later if false positives appear.
---
 .github/workflows/secret-scan.yml | 34 +++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 .github/workflows/secret-scan.yml

diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
new file mode 100644
index 0000000..332bd00
--- /dev/null
+++ b/.github/workflows/secret-scan.yml
@@ -0,0 +1,34 @@
+name: Secret Scanning
+
+on:
+  pull_request:
+  push:
+    branches: [main, master]
+
+permissions:
+  contents: read
+
+jobs:
+  secret-scan:
+    name: Gitleaks Secret Scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Gitleaks
+        run: |
+          VERSION=$(curl -sI https://github.com/gitleaks/gitleaks/releases/latest | grep -i '^location:' | sed 's/.*tag\/v//' | tr -d '\r')
+          curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" | tar xz
+          chmod +x gitleaks
+
+      - name: Scan for secrets
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            ./gitleaks detect --source . --log-opts "${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}" --verbose
+          else
+            ./gitleaks detect --source . --log-opts "${{ github.event.before }}..${{ github.sha }}" --verbose
+          fi

From c33487f0e4999c63487a1579289086d959a60dfc Mon Sep 17 00:00:00 2001
From: Alex Wegener <github.com@m.9aw.de>
Date: Sun, 26 Apr 2026 21:56:06 +0200
Subject: [PATCH 2/2] fix(ci): guard against null-SHA on branch-creation push

Per YyRemy review on llm-gateway#56: github.event.before is the
40-zero null SHA (0000000000000000000000000000000000000000) on the
first push to a new branch. Running 'git log 0000...SHA' fails,
producing a noisy CI error rather than a clean scan.

Fix: branch the push case on whether before is the null SHA. When it
is, scan the full tree (--source . --verbose, no --log-opts). When
it isn't, use the before..sha range as before.

Applied to all 7 of my secret-scan PRs in lockstep so the template
stays uniform across the plugin family.
---
 .github/workflows/secret-scan.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
index 332bd00..3735a28 100644
--- a/.github/workflows/secret-scan.yml
+++ b/.github/workflows/secret-scan.yml
@@ -30,5 +30,11 @@ jobs:
           if [ "${{ github.event_name }}" = "pull_request" ]; then
             ./gitleaks detect --source . --log-opts "${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}" --verbose
           else
-            ./gitleaks detect --source . --log-opts "${{ github.event.before }}..${{ github.sha }}" --verbose
+            BEFORE="${{ github.event.before }}"
+            if [ "$BEFORE" = "0000000000000000000000000000000000000000" ]; then
+              # Branch creation push -- no prior SHA. Scan full tree.
+              ./gitleaks detect --source . --verbose
+            else
+              ./gitleaks detect --source . --log-opts "${BEFORE}..${{ github.sha }}" --verbose
+            fi
           fi