Test change - enable secret scan using TruffleHog

[gmanal]

Description

closes

Checklist

• New or existing tests cover these changes.
• The documentation is up to date with these changes.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Configured automated secret scanning in the CI/CD pipeline and local development environment using TruffleHog to enhance code security.

Walkthrough

This PR adds secret scanning to the repository using TruffleHog, integrated at both local pre-commit and CI stages. The pre-commit hook and GitHub Actions workflow both reference NVIDIA's centralized security-workflows, enabling consistent scanning across developer environments and automated pipeline checks.

Changes

Secret scanning infrastructure

Layer / File(s)	Summary
Pre-commit hook configuration .pre-commit-config.yaml	Adds secret-scan-trufflehog hook from NVIDIA's centralized security-workflows repository, pinned to main, placed at the start of the pre-commit hook list.
GitHub Actions secret scanning workflow .github/workflows/secret-scan.yml	Defines Secret Scan (TruffleHog) workflow triggered on pushes to main and pull-request branches, plus manual dispatch. Sets read-only contents permissions, configures concurrency cancellation per ref, and invokes the centralized NVIDIA reusable workflow with repository-dependent runner selection (linux-amd64-cpu4 for NVIDIA/cccl, fallback to ubuntu-latest).

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2150ba70-f7a2-43bb-b4f8-fa11975c7330

📥 Commits

Reviewing files that changed from the base of the PR and between e054ac6 and 68d1dfb.

📒 Files selected for processing (2)

• .github/workflows/secret-scan.yml
• .pre-commit-config.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

GitHub Actions workflow syntax: for on.push.branches, does the pattern pull-request/[0-9]+behave as regex or glob? What pattern should match branches likepull-request/1234?

💡 Result:

In GitHub Actions workflow syntax, the on.push.branches and on.pull_request.branches filters use glob patterns, not regular expressions [1][2][3]. Because these filters use glob matching, the pattern pull-request/[0-9]+ will not behave as a regex. Instead, it will be interpreted literally as a glob pattern, meaning it will only match a branch named exactly "pull-request/[0-9]+". To match branches like pull-request/1234 using glob syntax, you should use the wildcard character * [1][3]. The pattern pull-request/* will match any branch that starts with pull-request/ followed by any characters (excluding a slash, depending on the specific glob implementation, though * is generally sufficient for this structure) [4][3]. If you need to ensure the remainder consists only of digits, glob patterns do not support character classes like [0-9]+ [1][2]. In such cases, you would need to either accept the broader glob match or perform the validation within a job step using a script (e.g., bash) to check the branch name against a regex [5][6].

Citations:

• 1: https://docs.github.com/actions/using-workflows/workflow-syntax-for-github-actions
• 2: https://docs.github.com/actions/reference/workflow-syntax-for-github-actions
• 3: https://build5nines.com/configuring-github-actions-to-run-jobs-on-specific-branches
• 4: https://stackoverflow.com/questions/64635032/github-actions-run-on-push-to-all-branches/68924896
• 5: https://stackoverflow.com/questions/58862864/github-actions-ci-conditional-regex
• 6: https://stackoverflow.com/questions/78027957/github-actions-to-enforce-proper-branch-names-pr-merging

---

important: Line 25 uses pull-request/[0-9]+, but GitHub Actions branch filters use glob patterns, not regex. This pattern will not match branches like pull-request/1234. Use pull-request/* instead.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify mutable reusable-workflow refs in GitHub workflows
rg -n 'uses:\s*[^@]+@(main|master|[A-Za-z0-9._/-]+)$' .github/workflows/*.yml

Repository: NVIDIA/cccl

Length of output: 5192

---

important: Pin reusable workflow uses: to a full 40-character commit SHA instead of @main to prevent unreviewed upstream changes from affecting CI security enforcement.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify mutable refs to NVIDIA/security-workflows in this PR surface
rg -n 'security-workflows|rev:\s*main|`@main`' .pre-commit-config.yaml .github/workflows/secret-scan.yml

Repository: NVIDIA/cccl

Length of output: 1336

---

important: Pin rev to an immutable commit SHA instead of main. Mutable branch refs in security-scanning hooks weaken supply-chain integrity; upstream changes can silently alter secret-scanning behavior. The existing TODO acknowledges this—v0.1.0 tag will enable proper pinning.

[github-actions]

😬 CI Workflow Results

🟥 Finished in 3h 00m: Pass: 99%/501 | Total: 15d 23h | Max: 2h 31m | Hits: 41%/1659867

See results here.