feat(security): add gitleaks for secret detection

Integrate gitleaks to detect and prevent secrets from being committed:

- Add .gitleaks.toml configuration with default rules
- Add gitleaks to pre-commit hook via lefthook (runs first in pipeline)
- Add gitleaks job to CI workflow using gitleaks-action
- Add gitleaks to nix flake for local development

This replaces secretlint with a more widely adopted solution that
provides comprehensive detection of API keys, tokens, and credentials.

Author: ryoppippi

.github/workflows/ci.yaml

@@ -16,6 +16,19 @@ permissions:
   id-token: write
 
 jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   typos:
     runs-on: ubuntu-latest
     steps:

.gitleaks.toml

@@ -0,0 +1,14 @@
+# Gitleaks configuration
+# https://github.com/gitleaks/gitleaks
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Global allowlist"
+paths = [
+    '''\.lock$''',
+    '''\.snap$''',
+    '''go\.sum$''',
+    '''pnpm-lock\.yaml$''',
+]

flake.nix

@@ -29,6 +29,9 @@
               nixfmt-rfc-style
               typos
               typos-lsp
+
+              # security
+              gitleaks
             ];
 
             shellHook = ''

lefthook.yaml

@@ -1,6 +1,8 @@
 pre-commit:
   piped: true
   jobs:
+    - name: gitleaks
+      run: gitleaks protect --staged --config .gitleaks.toml
     - name: oxlint
       glob: '*.{ts,tsx,js,jsx,mts,cts}'
       run: pnpm oxlint --max-warnings=0 --type-aware --type-check --fix {staged_files}