Add detect-secrets integration with GitHub Actions and Makefile

Issue: https://github.ibm.com/cloudant/releng/issues/1062

Added GitHub Action to scan secrets on PRs
Included Makefile for easy baseline updates
Auto-installs detect-secrets and cleans up
Added short README for developer usage
Configured baseline with exclusions and plugin tweaks

Author: rupeshkumarsahu

.github/workflows/detect-secrets.yaml

@@ -0,0 +1,42 @@
+name: Detect Secrets Scan
+
+on:
+  push:
+    branches: ["**"]
+  pull_request:
+    branches: [main]
+
+jobs:
+  detect-secrets:
+    name: Scan for Secrets (uses committed baseline config)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install detect-secrets
+        run: pip install git+https://github.com/ibm/detect-secrets.git@master#egg=detect-secrets
+
+      - name: Compare baseline
+        run: |
+          cp .secrets.baseline .secrets.baseline.bak
+          detect-secrets scan --update .secrets.baseline --suppress-unscannable-file-warnings
+
+          grep -v '"generated_at":' .secrets.baseline.bak > before.cleaned
+          grep -v '"generated_at":' .secrets.baseline     > after.cleaned
+
+          if ! diff before.cleaned after.cleaned > secrets.diff; then
+            echo "::error::Secrets baseline changed (excluding timestamp)."
+            cat secrets.diff
+            rm .secrets.baseline.bak before.cleaned after.cleaned secrets.diff
+            exit 1
+          else
+            echo "✅ No actual secret changes detected."
+            rm .secrets.baseline.bak before.cleaned after.cleaned secrets.diff
+          fi