From 4325e2ae4e2c7d9979310dd11a432cf5978e214c Mon Sep 17 00:00:00 2001
From: Val Redchenko <lazyval@gmail.com>
Date: Fri, 20 Feb 2026 18:29:01 +0000
Subject: [PATCH 1/3] feat: add gitleaks secret scanning

This repo previously had no secret scanning. Add gitleaks to align
with all other DLS repos.

- Add gitleaks CI workflow
- Add lefthook with gitleaks pre-push hook
- Add lefthook as devDependency with prepare script
- Add empty .gitleaks.toml (no known false positives)

Note: run `pnpm install` to update lockfile after merging.

Ref: DiamondLightSource/smartem-devtools#139
See: ADR-0018 in smartem-devtools
---
 .github/workflows/leaked-secrets-scan.yml | 21 +++++++++++++++++++++
 .gitleaks.toml                            |  2 ++
 lefthook.yml                              |  7 +++++++
 package.json                              |  2 ++
 4 files changed, 32 insertions(+)
 create mode 100644 .github/workflows/leaked-secrets-scan.yml
 create mode 100644 .gitleaks.toml
 create mode 100644 lefthook.yml

diff --git a/.github/workflows/leaked-secrets-scan.yml b/.github/workflows/leaked-secrets-scan.yml
new file mode 100644
index 00000000..1f3d67d5
--- /dev/null
+++ b/.github/workflows/leaked-secrets-scan.yml
@@ -0,0 +1,21 @@
+name: Leaked Secrets Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 3 * * *'
+  workflow_dispatch:
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 00000000..ddfb5f57
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,2 @@
+# Gitleaks configuration
+# Add path or regex allowlists here if false positives arise
diff --git a/lefthook.yml b/lefthook.yml
new file mode 100644
index 00000000..f68879aa
--- /dev/null
+++ b/lefthook.yml
@@ -0,0 +1,7 @@
+# Lefthook Git Hooks Configuration
+# Documentation: https://github.com/evilmartians/lefthook/blob/master/docs/configuration.md
+
+pre-push:
+  commands:
+    gitleaks:
+      run: gitleaks protect --staged --redact
diff --git a/package.json b/package.json
index 343e3104..41790fbf 100644
--- a/package.json
+++ b/package.json
@@ -23,6 +23,7 @@
     "lint:tsc": "pnpm tsc --noEmit",
     "rollup": "rollup --config rollup.config.mjs",
     "storybook": "storybook dev -p 6006 --disable-telemetry",
+    "prepare": "lefthook install",
     "storybook:build": "storybook build -o storybook-static",
     "storybook:publish": "gh-pages -b storybook/publish -d storybook-static"
   },
@@ -81,6 +82,7 @@
     "eslint-plugin-react-hooks": "^5.1.0",
     "file-loader": "^6.2.0",
     "gh-pages": "^6.2.0",
+    "lefthook": "^1.11.0",
     "react-dom": "^18.3.1",
     "react-router-dom": "^7.12.0",
     "rollup": "^4.27.3",

From 2ac59e2162aeaed7293e78e9f263cf33eba294e9 Mon Sep 17 00:00:00 2001
From: Val Redchenko <lazyval@gmail.com>
Date: Fri, 24 Apr 2026 13:28:13 +0100
Subject: [PATCH 2/3] fix(ci): swap gitleaks action for CLI to avoid license
 requirement

gitleaks/gitleaks-action@v2 requires a paid GITLEAKS_LICENSE secret
for repos owned by organisations, which caused the scan to fail on
PR #149. The CLI (free under MIT) provides equivalent scanning and
is the pattern already used across smartem-frontend, smartem-devtools,
fandanGO-cryoem-dls, and smartem-decisions.
---
 .github/workflows/leaked-secrets-scan.yml | 25 +++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/leaked-secrets-scan.yml b/.github/workflows/leaked-secrets-scan.yml
index 1f3d67d5..799d8cdb 100644
--- a/.github/workflows/leaked-secrets-scan.yml
+++ b/.github/workflows/leaked-secrets-scan.yml
@@ -10,12 +10,29 @@ on:
   workflow_dispatch:
 
 jobs:
-  gitleaks:
+  gitleaks-cli:
+    name: gitleaks (CLI)
     runs-on: ubuntu-latest
+    env:
+      GITLEAKS_VERSION: '8.30.0'
     steps:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install gitleaks
+        run: |
+          curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+            | tar -xz -C /usr/local/bin gitleaks
+          gitleaks version
+
+      - name: Run gitleaks
+        run: gitleaks detect --source . --redact -c .gitleaks.toml -v --report-format sarif --report-path gitleaks-report.sarif
+
+      - name: Upload report
+        uses: actions/upload-artifact@v7
+        if: always()
+        with:
+          name: gitleaks-report
+          path: gitleaks-report.sarif
+          retention-days: 30

From 2a178ee11d38d50f4e1f226ed131b6d0643a1675 Mon Sep 17 00:00:00 2001
From: Val Redchenko <lazyval@gmail.com>
Date: Fri, 24 Apr 2026 15:54:42 +0100
Subject: [PATCH 3/3] chore: update pnpm-lock.yaml for lefthook

The gitleaks commit added lefthook as a devDependency in package.json
but didn't update the lockfile. CI runs with --frozen-lockfile and
blocks on the drift. Regenerate lockfile to match package.json.
---
 pnpm-lock.yaml | 100 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 100 insertions(+)

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index e159246c..b35e8494 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -159,6 +159,9 @@ importers:
       gh-pages:
         specifier: ^6.2.0
         version: 6.3.0
+      lefthook:
+        specifier: ^1.11.0
+        version: 1.13.6
       react-dom:
         specifier: ^18.3.1
         version: 18.3.1(react@18.3.1)
@@ -3505,6 +3508,60 @@ packages:
   keyv@4.5.4:
     resolution: {integrity: sha512-oxVHkHR/EJf2CNXnWxRLW6mg7JyCCUcG0DtEGmL2ctUo1PNTin1PUil+r/+4r5MpVgC/fn1kjsx7mjSujKqIpw==}
 
+  lefthook-darwin-arm64@1.13.6:
+    resolution: {integrity: sha512-m6Lb77VGc84/Qo21Lhq576pEvcgFCnvloEiP02HbAHcIXD0RTLy9u2yAInrixqZeaz13HYtdDaI7OBYAAdVt8A==}
+    cpu: [arm64]
+    os: [darwin]
+
+  lefthook-darwin-x64@1.13.6:
+    resolution: {integrity: sha512-CoRpdzanu9RK3oXR1vbEJA5LN7iB+c7hP+sONeQJzoOXuq4PNKVtEaN84Gl1BrVtCNLHWFAvCQaZPPiiXSy8qg==}
+    cpu: [x64]
+    os: [darwin]
+
+  lefthook-freebsd-arm64@1.13.6:
+    resolution: {integrity: sha512-X4A7yfvAJ68CoHTqP+XvQzdKbyd935sYy0bQT6Ajz7FL1g7hFiro8dqHSdPdkwei9hs8hXeV7feyTXbYmfjKQQ==}
+    cpu: [arm64]
+    os: [freebsd]
+
+  lefthook-freebsd-x64@1.13.6:
+    resolution: {integrity: sha512-ai2m+Sj2kGdY46USfBrCqLKe9GYhzeq01nuyDYCrdGISePeZ6udOlD1k3lQKJGQCHb0bRz4St0r5nKDSh1x/2A==}
+    cpu: [x64]
+    os: [freebsd]
+
+  lefthook-linux-arm64@1.13.6:
+    resolution: {integrity: sha512-cbo4Wtdq81GTABvikLORJsAWPKAJXE8Q5RXsICFUVznh5PHigS9dFW/4NXywo0+jfFPCT6SYds2zz4tCx6DA0Q==}
+    cpu: [arm64]
+    os: [linux]
+
+  lefthook-linux-x64@1.13.6:
+    resolution: {integrity: sha512-uJl9vjCIIBTBvMZkemxCE+3zrZHlRO7Oc+nZJ+o9Oea3fu+W82jwX7a7clw8jqNfaeBS+8+ZEQgiMHWCloTsGw==}
+    cpu: [x64]
+    os: [linux]
+
+  lefthook-openbsd-arm64@1.13.6:
+    resolution: {integrity: sha512-7r153dxrNRQ9ytRs2PmGKKkYdvZYFPre7My7XToSTiRu5jNCq++++eAKVkoyWPduk97dGIA+YWiEr5Noe0TK2A==}
+    cpu: [arm64]
+    os: [openbsd]
+
+  lefthook-openbsd-x64@1.13.6:
+    resolution: {integrity: sha512-Z+UhLlcg1xrXOidK3aLLpgH7KrwNyWYE3yb7ITYnzJSEV8qXnePtVu8lvMBHs/myzemjBzeIr/U/+ipjclR06g==}
+    cpu: [x64]
+    os: [openbsd]
+
+  lefthook-windows-arm64@1.13.6:
+    resolution: {integrity: sha512-Uxef6qoDxCmUNQwk8eBvddYJKSBFglfwAY9Y9+NnnmiHpWTjjYiObE9gT2mvGVpEgZRJVAatBXc+Ha5oDD/OgQ==}
+    cpu: [arm64]
+    os: [win32]
+
+  lefthook-windows-x64@1.13.6:
+    resolution: {integrity: sha512-mOZoM3FQh3o08M8PQ/b3IYuL5oo36D9ehczIw1dAgp1Ly+Tr4fJ96A+4SEJrQuYeRD4mex9bR7Ps56I73sBSZA==}
+    cpu: [x64]
+    os: [win32]
+
+  lefthook@1.13.6:
+    resolution: {integrity: sha512-ojj4/4IJ29Xn4drd5emqVgilegAPN3Kf0FQM2p/9+lwSTpU+SZ1v4Ig++NF+9MOa99UKY8bElmVrLhnUUNFh5g==}
+    hasBin: true
+
   levn@0.4.1:
     resolution: {integrity: sha512-+bT2uH4E5LGE7h/n3evcS/sQlJXCpIp6ym8OWJ5eV6+67Dsql/LaaT7qJBAt2rzfoa/5QBGBhxDix1dMt2kQKQ==}
     engines: {node: '>= 0.8.0'}
@@ -8636,6 +8693,49 @@ snapshots:
     dependencies:
       json-buffer: 3.0.1
 
+  lefthook-darwin-arm64@1.13.6:
+    optional: true
+
+  lefthook-darwin-x64@1.13.6:
+    optional: true
+
+  lefthook-freebsd-arm64@1.13.6:
+    optional: true
+
+  lefthook-freebsd-x64@1.13.6:
+    optional: true
+
+  lefthook-linux-arm64@1.13.6:
+    optional: true
+
+  lefthook-linux-x64@1.13.6:
+    optional: true
+
+  lefthook-openbsd-arm64@1.13.6:
+    optional: true
+
+  lefthook-openbsd-x64@1.13.6:
+    optional: true
+
+  lefthook-windows-arm64@1.13.6:
+    optional: true
+
+  lefthook-windows-x64@1.13.6:
+    optional: true
+
+  lefthook@1.13.6:
+    optionalDependencies:
+      lefthook-darwin-arm64: 1.13.6
+      lefthook-darwin-x64: 1.13.6
+      lefthook-freebsd-arm64: 1.13.6
+      lefthook-freebsd-x64: 1.13.6
+      lefthook-linux-arm64: 1.13.6
+      lefthook-linux-x64: 1.13.6
+      lefthook-openbsd-arm64: 1.13.6
+      lefthook-openbsd-x64: 1.13.6
+      lefthook-windows-arm64: 1.13.6
+      lefthook-windows-x64: 1.13.6
+
   levn@0.4.1:
     dependencies:
       prelude-ls: 1.2.1