on:
  push:

name: Secret Leaks

permissions:
  contents: read

jobs:
  trufflehog:
    runs-on: ubuntu-latest
    steps:
    - shell: bash
      run: |
        if [ "${{ github.event_name }}" == "push" ]; then
          echo "depth=$(($(jq length <<< '${{ toJson(github.event.commits) }}') + 2))" >> $GITHUB_ENV
          echo "branch=${{ github.ref_name }}" >> $GITHUB_ENV
        fi
        if [ "${{ github.event_name }}" == "pull_request" ]; then
          echo "depth=$((${{ github.event.pull_request.commits }}+2))" >> $GITHUB_ENV
          echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
        fi
    - name: Checkout code
      uses: actions/checkout@v4
      with:
        ref: ${{env.branch}}
        fetch-depth: ${{env.depth}}
    - name: Secret Scanning
      uses: trufflesecurity/trufflehog@main