ci: Add secrets detector

Signed-off-by: Charlie Truong <chtruong@nvidia.com>

Author: chtruong814

.github/workflows/config/.secrets.baseline

@@ -0,0 +1,195 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    },
+    {
+      "path": "detect_secrets.filters.regex.should_exclude_file",
+      "pattern": [
+        "pyproject\\.toml|\\.github/workflows/config/\\.secrets\\.baseline"
+      ]
+    }
+  ],
+  "results": {
+    "docs/guides/execution.md": [
+      {
+        "type": "Secret Keyword",
+        "filename": "docs/guides/execution.md",
+        "hashed_secret": "532abb38bbbf7f304a3db907a31f5ecf2cd9e90a",
+        "is_verified": false,
+        "line_number": 267
+      }
+    ],
+    "docs/guides/ray.md": [
+      {
+        "type": "Secret Keyword",
+        "filename": "docs/guides/ray.md",
+        "hashed_secret": "fd385d38140af325c5a7d4ba662a2d0747acce43",
+        "is_verified": false,
+        "line_number": 222
+      }
+    ],
+    "test/core/execution/test_dgxcloud.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "test/core/execution/test_dgxcloud.py",
+        "hashed_secret": "eb3d6b8a9e2a4087e2690c93f6f8a98ec33777fe",
+        "is_verified": false,
+        "line_number": 34
+      }
+    ],
+    "test/core/execution/test_lepton.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "test/core/execution/test_lepton.py",
+        "hashed_secret": "cf38af6a2b49c4106a6828cba9c1ca1fba1c3be4",
+        "is_verified": false,
+        "line_number": 108
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "test/core/execution/test_lepton.py",
+        "hashed_secret": "fe1bae27cb7c1fb823f496f286e78f1d2ae87734",
+        "is_verified": false,
+        "line_number": 392
+      }
+    ],
+    "test/run/torchx_backend/schedulers/test_dgxcloud.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "test/run/torchx_backend/schedulers/test_dgxcloud.py",
+        "hashed_secret": "72cb70dbbafe97e5ea13ad88acd65d08389439b0",
+        "is_verified": false,
+        "line_number": 41
+      }
+    ],
+    "test/run/torchx_backend/test_packaging.py": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "test/run/torchx_backend/test_packaging.py",
+        "hashed_secret": "62d9498a9bb501cca21909ca0d4ca2851ce2eb66",
+        "is_verified": false,
+        "line_number": 72
+      }
+    ]
+  },
+  "generated_at": "2026-01-31T00:24:37Z"
+}

.github/workflows/detect-secrets.yml

@@ -0,0 +1,21 @@
+# Copyright (c) 2026 NVIDIA CORPORATION.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+name: Secrets detector
+
+on:
+  pull_request:
+
+jobs:
+  secrets-detector:
+    uses: NVIDIA-NeMo/FW-CI-templates/.github/workflows/_secrets-detector.yml@v0.70.0