Add gitleaks secret scan

[george-elphick-talieisin]

Wires in the org-wide gitleaks secret-scan reusable workflow. Runs on every PR + push to default branch. Replaces GitHub's paid Secret Protection with a free, org-unified gate.

[Copilot]

Pull request overview

Adds a GitHub Actions workflow to run an org-wide reusable Gitleaks-based secret scan on pull requests and on pushes to selected branches, intended to replace GitHub Secret Protection with a unified, free alternative.

Changes:

• Introduces a new Secret scan GitHub Actions workflow.
• Triggers scans on pull_request and on push to main/master.
• Delegates execution to an org-wide reusable workflow (Talieisin/.github/.../secret-scan.yml).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Consider setting explicit minimal permissions for this workflow (or job) so the GITHUB_TOKEN doesn’t inherit broader-than-needed defaults from org/repo settings. Secret scanning typically only needs contents: read (and possibly pull-requests: read depending on the reusable workflow).

Suggested change

	scan:
	scan:
	permissions:
	contents: read
	pull-requests: read

[Copilot]

The reusable workflow is referenced with @main, which can change over time and introduces a supply-chain risk (a compromised or buggy update would affect this repo immediately). Pin the uses: ref to a tagged release or a specific commit SHA and update it intentionally when you want new behavior.

Suggested change

	uses: Talieisin/.github/.github/workflows/secret-scan.yml@main
	uses: Talieisin/.github/.github/workflows/secret-scan.yml@0123456789abcdef0123456789abcdef01234567

[Copilot]

The PR description says this runs on push to the default branch, but the workflow is hard-coded to only run on pushes to main or master. If this repo’s default branch is different (or gets renamed), pushes won’t be scanned. Update on.push.branches to match the actual default branch for this repo (and avoid listing branches you don’t intend to support).