Make sure no API key is inside our repos

.env

@@ -0,0 +1,2 @@
+MY_API_KEY=super-secret-api-key
+MY_SUPER_SECRET_PASSWORD=this-is-my-password

.github/workflows/workflow-detect-secret-leaks.yml

@@ -0,0 +1,58 @@
+name: Detect secrets leaks
+
+on:
+  workflow_call:
+  push:
+    branches:
+      - '**'
+
+jobs:
+  detect-secret-leaks:
+    runs-on: gh-runner
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      # https://github.com/hashicorp/vault-action?tab=readme-ov-file#multiple-secrets
+      # https://github.com/hashicorp/vault-action?tab=readme-ov-file#example-usage
+      - name: Authenticate with Vault using GitHub OIDC and retrieve secrets
+        uses: hashicorp/[email protected]
+        with:
+          url: https://vault.vault.svc.cluster.local:8200
+          method: github
+          tlsSkipVerify: true
+          githubToken: ${{ secrets.VAULT_TOKEN }}
+          secrets: |
+            kv/data/test * | VAULTACTIONKEY_;
+
+      - name: Install git-secrets
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y git build-essential
+          git clone https://github.com/awslabs/git-secrets.git
+          cd git-secrets
+          sudo make install
+
+      - name: Add API keys to git-secrets
+        run: |
+          set +H
+          set -f
+          for var in $(compgen -e VAULTACTIONKEY_); do
+            value="${!var}"
+            if [ -n "$value" ]; then
+              git secrets --add --literal "$value" || echo "git secrets failed for variable $var" >&2
+            else
+              echo "Skipping empty variable $var"
+            fi
+          done
+
+      - name: Scan repository for secrets
+        run: |
+          git secrets --scan -r
+
+      - name: Remove git-secrets patterns
+        run: |
+          git config --remove-section git-secrets || true