fix: [nomad-prep] P11 — wire lib/secret-scan.sh into Woodpecker CI gate (#798)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.woodpecker/secret-scan.yml

@@ -0,0 +1,32 @@
+# .woodpecker/secret-scan.yml — Block PRs that leak plaintext secrets
+#
+# Triggers on pull requests touching secret-adjacent paths.
+# Sources lib/secret-scan.sh and scans each changed file's content.
+# Exits non-zero if any potential secret is detected.
+
+when:
+  - event: pull_request
+    path:
+      - ".env*"
+      - "tools/vault-*.sh"
+      - "nomad/**/*"
+      - "vault/**/*"
+      - "action-vault/**/*"
+      - "lib/hvault.sh"
+      - "lib/action-vault.sh"
+
+clone:
+  git:
+    image: alpine/git
+    commands:
+      - AUTH_URL=$(printf '%s' "$CI_REPO_CLONE_URL" | sed "s|://|://token:$FORGE_TOKEN@|")
+      - git clone --depth 50 "$AUTH_URL" .
+      - git fetch --depth 50 origin "$CI_COMMIT_REF" "$CI_COMMIT_TARGET_BRANCH"
+      - git checkout FETCH_HEAD
+
+steps:
+  - name: secret-scan
+    image: alpine:3
+    commands:
+      - apk add --no-cache bash git grep
+      - bash .woodpecker/run-secret-scan.sh