Add Gitleaks workflow

[k-doering-NOAA]

Addresses #23 .

[k-doering-NOAA]

Not quite ready to merge in - I am doing some testing.

[k-doering-NOAA]

@Bai-Li-NOAA I think this is now ready to merge in - note that the r cmd check will be failing, because one of the functions references the main branch, where the function does not yet exist. I tested with the gitleaks branch name and was able to get r cmd check to pass (a4734d5).

Note that the reusable workflow came from the NEFSC and SEFSC github SOPs.

[k-doering-NOAA]

Thanks @Bai-Li-NOAA, I think it would be great to test this out, as I haven't done any testing to confirm it can catch secrets. I will try to make changes to this tomorrow

[k-doering-NOAA]

I guess I should have read more about Gitleaks - it seems what the Github SOPs is suggesting is already out of date.

• Gitleaks is mostly no longer free. So, it seems we would all need a license to use it for secret scanning in an org.
• It IS free for repos in personal accounts. It is not clear to me if it would work for personal accounts if they call a reusable workflow. We could test it.

@Bai-Li-NOAA , given this new information, do you think we should add it to our package? I'm a little hesitant to add something that won't work for the majority of folks without a license.

[k-doering-NOAA]

reading a bit more (https://github.com/gitleaks/gitleaks-action#i-really-need-a-secret-scanner-but-i-have-no-money-to-buy-a-license-what-can-i-do), it sounds like v1.6.0 is still free and will work, but apparently there are some "known issues".

[Bai-Li-NOAA]

@k-doering-NOAA, thanks for sharing the info. I guess I should have read the whole readme file from the gitleaks-action repo before making suggestions 😅. How about we discuss whether we really need a secret scanner or not during the coming modeling team meeting? In the meanwhile, we can always pin the Gitleaks-Action yml to the last free version of Gitleaks-Action (v1.6.0). "See here: How to pin to v1.6.0 Caveat: There are some known issues with that version, and it's no longer receiving updates. But it's better than nothing".

[k-doering-NOAA]

I think I will close this pull request for now, but keep the branch around. I think some NMFS level discussion of what to use is warranted, since the current recommendation to use gitleaks is outdated. I would only like to merge in what is necessary for NMFS developers so as to not confuse folks with additional options!