[StepSecurity] Apply security best practices #153

	name: PSSecretScanner

	on:
	push:
	branches:
	- main
	pull_request:
	workflow_dispatch:

	permissions:
	contents: read

	concurrency:
	group: pssecret-${{ github.ref }}
	cancel-in-progress: false

	jobs:
	pssecret-scanner:
	runs-on: ubuntu-latest
	steps:
	- name: Harden the runner (Audit all outbound calls)
	uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
	with:
	egress-policy: audit

	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	# PowerShell is available by default on ubuntu-latest, so no setup step is required
	- name: Install PSSecretScanner
	shell: pwsh
	run: \|
	Install-Module -Name PSSecretScanner -Force -Scope CurrentUser
	- name: Create .ignoresecrets file
	run: \|
	echo "CHANGELOG.md" >> .ignoresecrets
	echo "CNAME" >> .ignoresecrets
	- name: Run PSSecretScanner
	shell: pwsh
	continue-on-error: true
	run: \|
	Import-Module PSSecretScanner
	if (Test-Path .ignoresecrets) {
	$results = Find-Secret -Path . -Excludelist .ignoresecrets
	} else {
	$results = Find-Secret -Path .
	}
	$results \| Format-Table \| Out-String \| Write-Host
	if ($results) { Write-Error 'Secrets found!'; exit 1 } else { Write-Host 'No secrets found.' }

Provide feedback