feat(ci): add scheduled secret scanning workflow

.github/workflows/secrets-scan-daily.yml

@@ -0,0 +1,80 @@
+name: Daily Secrets Detection
+
+on:
+  schedule:
+    # Run daily at 9:00 AM UTC
+    - cron: '0 9 * * *'
+  workflow_dispatch: # Allow manual triggering
+
+permissions:
+  contents: read
+  id-token: write # Required for SLSA attestation
+
+jobs:
+  onboard_workflow:
+    name: Onboard Chainloop Workflow
+    uses: chainloop-dev/labs/.github/workflows/chainloop_onboard.yml@6bbd1c2b3022e48ae60afa0c2b90f3b6d31bcf11
+    with:
+      project: "chainloop"
+      workflow_name: "daily-secrets-detection"
+    secrets:
+      api_token: ${{ secrets.CHAINLOOP_TOKEN }}
+
+  daily-secrets-scan:
+    name: Daily Secrets Scan
+    needs: onboard_workflow
+    runs-on: ubuntu-latest
+    env:
+      CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
+      CHAINLOOP_WORKFLOW_NAME: ${{ needs.onboard_workflow.outputs.workflow_name }}
+      CHAINLOOP_PROJECT_NAME: ${{ needs.onboard_workflow.outputs.project_name }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Chainloop
+        run: |
+          curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s -- --ee
+
+      - name: Initialize Attestation
+        run: |
+          chainloop attestation init --workflow ${CHAINLOOP_WORKFLOW_NAME} --project ${CHAINLOOP_PROJECT_NAME}
+
+      - name: Install Gitleaks
+        run: |
+          wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz
+          mkdir -p /tmp/gitleaks-install
+          tar -xzf gitleaks_8.30.0_linux_x64.tar.gz -C /tmp/gitleaks-install
+          sudo install /tmp/gitleaks-install/gitleaks /usr/local/bin/
+          rm -rf /tmp/gitleaks-install gitleaks_8.30.0_linux_x64.tar.gz
+          gitleaks version
+
+      - name: Run Gitleaks Scan
+        run: |
+          gitleaks dir . \
+            --report-format json \
+            --report-path gitleaks-report.json \
+            --config .github/workflows/utils/.gitleaks.toml \
+            || true
+
+      - name: Add Gitleaks Report to Attestation
+        run: |
+          chainloop attestation add \
+            --name gitleaks-scan \
+            --value gitleaks-report.json \
+            --kind GITLEAKS_JSON
+
+      - name: Finish and Push Attestation
+        if: ${{ success() }}
+        run: |
+          chainloop attestation push
+
+      - name: Mark attestation as failed
+        if: ${{ failure() }}
+        run: |
+          chainloop attestation reset
+
+      - name: Mark attestation as cancelled
+        if: ${{ cancelled() }}
+        run: |
+          chainloop attestation reset --trigger cancellation

.github/workflows/utils/.gitleaks.toml

@@ -0,0 +1,11 @@
+title = "Gitleaks config"
+
+[extend]
+useDefault = true
+
+# Ignore test files and test directories
+[[allowlists]]
+paths = [
+  '''.*_test\..*''',                    # Test files
+  '''(^|/)testdata/.*''',               # Testdata directories
+]

.gitleaksignore

@@ -0,0 +1,27 @@
+# .gitleaksignore
+#
+# This file contains fingerprints for verified false positives in gitleaks scans.
+# Format: file_path:rule_id:line_number
+
+# PostHog public API key
+app/cli/cmd/root.go:generic-api-key:413
+
+# Buf dependency version
+buf.yaml:generic-api-key:135
+
+# Development keys
+devel/devkeys/cas.pem:private-key:1
+devel/devkeys/ca.pem:private-key:1
+
+# Expired JWT token example in development documentation
+devel/README.md:jwt:162
+
+# Helm chart deployment documentation, example private keys, content redacted or truncated
+deployment/chainloop/README.md:private-key:231
+deployment/chainloop/charts/vault/README.md:private-key:96
+
+# Helm chart templates, development keys that cannot be generated
+deployment/chainloop/templates/_helpers.tpl:private-key:43
+
+# Helm values.yaml, field documentation example
+deployment/chainloop/values.yaml:private-key:114