Merge pull request #1 from cloudant/releng#1062-add-github-action-for-detect-secrets

Add detect-secrets integration with GitHub Actions and Makefile

Author: rupeshkumarsahu

.github/workflows/detect-secrets.yaml

@@ -0,0 +1,42 @@
+name: Detect Secrets Scan
+
+on:
+  push:
+    branches: ["**"]
+  pull_request:
+    branches: [master]
+
+jobs:
+  detect-secrets:
+    name: Scan for Secrets (uses committed baseline config)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install detect-secrets
+        run: pip install git+https://github.com/ibm/detect-secrets.git@master#egg=detect-secrets
+
+      - name: Compare baseline
+        run: |
+          cp .secrets.baseline .secrets.baseline.bak
+          detect-secrets scan --update .secrets.baseline --suppress-unscannable-file-warnings
+
+          grep -v '"generated_at":' .secrets.baseline.bak > before.cleaned
+          grep -v '"generated_at":' .secrets.baseline     > after.cleaned
+
+          if ! diff before.cleaned after.cleaned > secrets.diff; then
+            echo "::error::Secrets baseline changed (excluding timestamp)."
+            cat secrets.diff
+            rm .secrets.baseline.bak before.cleaned after.cleaned secrets.diff
+            exit 1
+          else
+            echo "✅ No actual secret changes detected."
+            rm .secrets.baseline.bak before.cleaned after.cleaned secrets.diff
+          fi