ci(workflows): [ci] add gitguardian job

- https://github.com/GitGuardian/ggshield-action
- https://docs.gitguardian.com/ggshield-docs/integrations/cicd-integrations/github-actions

Signed-off-by: Lexus Drumgold <unicornware@flexdevelopment.llc>

.dictionary.txt

@@ -8,6 +8,7 @@ dessant
 dohm
 esbuild
 fbca
+ggshield
 gpgsign
 hmarr
 iife

.github/workflows/ci.yml

@@ -10,6 +10,7 @@
 # - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#push
 # - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
 # - https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions
+# - https://github.com/GitGuardian/ggshield-action
 # - https://github.com/actions/cache
 # - https://github.com/actions/cache/discussions/650
 # - https://github.com/actions/checkout
@@ -80,6 +81,27 @@ jobs:
       - id: version-typescript
         name: Get TypeScript version
         run: echo "result=$(jq .devDependencies.typescript package.json -r)" >> $GITHUB_OUTPUT
+  gitguardian:
+    needs: metadata
+    runs-on: ubuntu-latest
+    steps:
+      - id: checkout
+        name: Checkout ${{ env.REF }}
+        uses: actions/checkout@v3.3.0
+        with:
+          fetch-depth: 0
+          ref: ${{ env.REF }}
+      - id: scan
+        name: Scan commits for secrets and policy breaches
+        uses: GitGuardian/ggshield-action@master
+        with:
+          args: --all-policies --show-secrets --verbose
+        env:
+          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
+          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
+          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
   format:
     needs: metadata
     runs-on: ubuntu-latest