Add a security-audit GitHub Actions workflow to guard against committing secrets
or internal/operational specifics — a privacy guardrail that matters most for
public repos.
What to add (reference implementation: Gilamonster-Foundation/nessie-identity)
- gitleaks secret scan run via the open-source binary (pin e.g.
v8.30.1).
Do not use the gitleaks-action wrapper — it requires a paid
GITLEAKS_LICENSE for organization repos; the binary is free for everyone.
- An internal-specifics linter (
scripts/check-internal-specifics.sh) that
fails on real private IPs (RFC1918 / CGNAT), internal TLDs, overlay-network
hostnames, directory realms, and personal emails — while allowing RFC 5737 /
example.* placeholders through.
.gitleaks.toml allowlisting the documentation placeholders.
.pre-commit-config.yaml mirroring the checks locally before commit.
SECURITY.md + docs/PRIVACY.md describing the public/private split and the
placeholder rules.
Notes
- Run the secret-scan/privacy gate on GitHub-hosted runners (reliable,
isolated, free for public repos).
- Pin actions to a Node 24 major (e.g.
actions/checkout@v5).
Tracking issue only — no automated changes have been made.
Add a
security-auditGitHub Actions workflow to guard against committing secretsor internal/operational specifics — a privacy guardrail that matters most for
public repos.
What to add (reference implementation:
Gilamonster-Foundation/nessie-identity)v8.30.1).Do not use the
gitleaks-actionwrapper — it requires a paidGITLEAKS_LICENSEfor organization repos; the binary is free for everyone.scripts/check-internal-specifics.sh) thatfails on real private IPs (RFC1918 / CGNAT), internal TLDs, overlay-network
hostnames, directory realms, and personal emails — while allowing RFC 5737 /
example.*placeholders through..gitleaks.tomlallowlisting the documentation placeholders..pre-commit-config.yamlmirroring the checks locally before commit.SECURITY.md+docs/PRIVACY.mddescribing the public/private split and theplaceholder rules.
Notes
isolated, free for public repos).
actions/checkout@v5).Tracking issue only — no automated changes have been made.