test: forcing failure with a ghp token pattern

Author: moghit-eou

.github/workflows/security.yml

@@ -1,12 +1,36 @@
-name: Gitleaks
-on: [push, pull_request]
-
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+ 
 jobs:
-  scan:
+  secret-scan:
+    name: Scan for secrets
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@v4
         with:
-          fetch-depth: 0 # look at history, not just the latest commit
-          
-      - uses: gitleaks/gitleaks-action@v2
+          fetch-depth: 0  # secrets can hide in old commits
+ 
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          args: >-
+            --redact
+            --report-format sarif
+            --report-path gitleaks-results.sarif
+            --exit-code 1
+ 
+      - name: Upload SARIF to GitHub Security tab
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: gitleaks-results.sarif
+          category: secret-scanning