chore: add security workflow

Author: thasmo

.github/workflows/release.yaml

@@ -9,10 +9,13 @@ jobs:
   source:
     name: verify source
     uses: ./.github/workflows/source.yaml
+  security:
+    name: verify security
+    uses: ./.github/workflows/security.yaml
   release:
     name: release version
     runs-on: ubuntu-latest
-    needs: [source]
+    needs: [source, security]
     permissions:
       id-token: write
       issues: write

.github/workflows/security.yaml

@@ -0,0 +1,43 @@
+name: SECURITY
+
+on:
+  workflow_call:
+  merge_group:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  trufflehog:
+    name: trufflehog
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      issues: write
+      pull-requests: write
+    steps:
+      - name: checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: scan source
+        id: trufflehog
+        uses: trufflesecurity/trufflehog@bff3d2670b362bbb4a0bcdeffea146cbc2ad3abd
+      - name: evaluate results
+        if: steps.trufflehog.outcome == 'failure'
+        run: exit 1
+  gitleaks:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: scan source
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}