Limit SDK secret scan to current tree #13

	name: secret-scan

	on:
	pull_request:
	push:
	branches:
	- main
	- "codex/**"

	jobs:
	gitleaks:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: Install gitleaks
	run: \|
	set -euo pipefail
	VERSION=8.28.0
	curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \
	\| tar -xz
	sudo install gitleaks /usr/local/bin/gitleaks
	- name: Run gitleaks
	run: gitleaks dir . --redact --no-banner --exit-code 1 --verbose

Provide feedback