1 changed files with 48 additions and 1 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@ -480,9 +480,56 @@ jobs:
          fetch-depth: 0

      - name: Scan for secrets
-        run: gitleaks detect --source . --no-banner --redact --exit-code 0
+        run: |
+          gitleaks detect \
+            --source . \
+            --no-banner \
+            --redact \
+            --verbose \
+            --platform git.levkin.ca \
+            --report-path gitleaks-report.json \
+            --exit-code 0
        continue-on-error: true

+      - name: Install jq for report parsing
+        run: apk add --no-cache jq
+
+      - name: Display secret scan results
+        if: always()
+        run: |
+          if [ -f gitleaks-report.json ]; then
+            echo "## 🔐 Secret Scan Results" >> $GITHUB_STEP_SUMMARY || true
+            echo "" >> $GITHUB_STEP_SUMMARY || true
+            
+            # Count leaks
+            LEAK_COUNT=$(jq 'length' gitleaks-report.json 2>/dev/null || echo "0")
+            echo "**Total leaks found: $LEAK_COUNT**" >> $GITHUB_STEP_SUMMARY || true
+            echo "" >> $GITHUB_STEP_SUMMARY || true
+            
+            if [ "$LEAK_COUNT" -gt 0 ]; then
+              echo "### Leak Details" >> $GITHUB_STEP_SUMMARY || true
+              echo "" >> $GITHUB_STEP_SUMMARY || true
+              echo "| File | Line | Rule | Description | Commit |" >> $GITHUB_STEP_SUMMARY || true
+              echo "|------|------|------|-------------|--------|" >> $GITHUB_STEP_SUMMARY || true
+              
+              # Extract and display leak details
+              jq -r '.[] | "| \(.File) | \(.Line) | \(.RuleID) | \(.Description // "N/A") | \(.Commit // "N/A") |"' gitleaks-report.json >> $GITHUB_STEP_SUMMARY || true
+              echo "" >> $GITHUB_STEP_SUMMARY || true
+              
+              echo "### Full Report (JSON)" >> $GITHUB_STEP_SUMMARY || true
+              echo '```json' >> $GITHUB_STEP_SUMMARY || true
+              cat gitleaks-report.json >> $GITHUB_STEP_SUMMARY || true
+              echo '```' >> $GITHUB_STEP_SUMMARY || true
+              
+              echo "" >> $GITHUB_STEP_SUMMARY || true
+              echo "⚠️ **Action Required:** Review and remove the secrets found above." >> $GITHUB_STEP_SUMMARY || true
+            else
+              echo "✅ No secrets detected!" >> $GITHUB_STEP_SUMMARY || true
+            fi
+          else
+            echo "⚠️  No report file generated" >> $GITHUB_STEP_SUMMARY || true
+          fi
+
  dependency-scan:
    needs: skip-ci-check
    if: needs.skip-ci-check.outputs.should-skip != '1'