From 66b1fca4ced6d42c32dea46251b99aab02f611c8 Mon Sep 17 00:00:00 2001
From: tAsh <t4sh@users.noreply.github.com>
Date: Tue, 19 May 2026 16:29:33 +0530
Subject: [PATCH] chore: harden gitleaks and quality gates

---
 .github/workflows/gitleaks.yml | 11 ++++-------
 .pre-commit-config.yaml        |  6 ++++++
 2 files changed, 10 insertions(+), 7 deletions(-)
 create mode 100644 .pre-commit-config.yaml

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index e336bb6..42a6990 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -3,8 +3,6 @@ name: gitleaks
 on:
   pull_request:
   push:
-    branches:
-      - main
   workflow_dispatch:
 
 permissions:
@@ -12,16 +10,15 @@ permissions:
   pull-requests: read
 
 jobs:
-  scan:
-    name: scan
+  gitleaks:
+    name: gitleaks
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # actions/checkout@v4
         with:
           fetch-depth: 0
-
       - name: Run Gitleaks
-        uses: gitleaks/gitleaks-action@v2
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # gitleaks/gitleaks-action@v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..1fc29dc
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,6 @@
+# Optional local pre-commit hooks. CI is the enforced gate.
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.30.1
+    hooks:
+      - id: gitleaks