Add secrets scanner to pre-commit

[stevenschrayer]

Description

Describe your changes and why you're making them. Please include the context, motivation, and relevant dependencies.

Resolves #5224.

Opted for a pre-commit check for now. gitleaks is also useful, but requires provisioning a (free) license key to use the github action in CI/CD. Would rather not have that tied to my email with the amount of runway remaining so probably follow-up ticket.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation

How has this been tested?

Include commands/logs/screenshots as relevant.

If making changes to dbt models, make sure they were created or update on Staging. Please run the command uv run dbt run -s CHANGED_MODEL --target staging and uv run dbt test -s CHANGED_MODEL --target staging, then include the output in this section of the PR.

Generated the .secrets.baseline with detect-secrets (via uv tool add detect-secrets) and populated. Currently a bit too much to audit since most seem fine.

Added a fake secret via GITHUB_TOKEN=ghp_some-long-fake-token-that-isnt-this and confirmed that I was unable to commit the secret.

Post-merge follow-ups

Document any actions that must be taken post-merge to deploy or otherwise implement the changes in this PR (for example, running a full refresh of some incremental model in dbt). If these actions will take more than a few hours after the merge or if they will be completed by someone other than the PR author, please create a dedicated follow-up issue and link it here to track resolution.

• No action required
• Actions required (specified below)

Determine if it makes sense to still implement gitleaks -- pre-commit only runs when a user is committing, and requires explicitly running pre-commit install, so it could be sidestepped. Adding gitleaks a CI/CD allows configuring notifications for leaked secrets which is a good second layer.