# .woodpecker/secret-scan.yml — Block PRs that leak plaintext secrets
#
# Triggers on pull requests touching secret-adjacent paths.
# Sources lib/secret-scan.sh and scans each changed file's content.
# Exits non-zero if any potential secret is detected.

when:
  - event: pull_request
    path:
      - ".env*"
      - "tools/vault-*.sh"
      - "nomad/**/*"
      - "vault/**/*"
      - "action-vault/**/*"
      - "lib/hvault.sh"
      - "lib/action-vault.sh"

clone:
  git:
    image: alpine/git
    commands:
      - AUTH_URL=$(printf '%s' "$CI_REPO_CLONE_URL" | sed "s|://|://token:$FORGE_TOKEN@|")
      - git clone --depth 50 "$AUTH_URL" .
      - git fetch --depth 50 origin "$CI_COMMIT_REF" "$CI_COMMIT_TARGET_BRANCH"
      - git checkout FETCH_HEAD

steps:
  - name: secret-scan
    image: alpine:3
    commands:
      - apk add --no-cache bash git grep
      - bash .woodpecker/run-secret-scan.sh