security: remove .gitleaksbaseline + secrets-audit + simplify secret-scan

These files were a security liability: even though Secret/Match fields
were redacted, they still mapped attackers to exactly which files,
commits, authors, and line numbers historically contained credentials.
An external contributor cloning the repo could read them and know where
to look in git history for extractable keys.

Removed:
  .gitleaksbaseline       (JSON: 49 findings, commit SHAs, file paths)
  docs/secrets-audit.md   (human-readable table — even more exploitable)
  docs/starter-apps.md    (not security-sensitive, but low-value + drifts
                           fast; the 5 starter repos are discoverable on
                           the org page, and release.yml already clones
                           them at runtime for consumer validation)

Simplified .github/workflows/secret-scan.yml:
  - No longer uses --baseline-path (redundant with incremental scans)
  - Scans only the commit range introduced by the event:
      PR:          base.sha..HEAD
      push:        before..HEAD
      new branch:  HEAD~1..HEAD  (fallback for zero before-SHA)
  - Historical secrets from before the range are naturally ignored
    because they're outside it — no committed-in-repo list needed.

If a secret is actually leaked in a future commit, gitleaks will catch
it. Historical leaks are audited once (internally, off-repo) and the
relevant keys rotated; keeping an on-repo map of them was protecting
nothing and advertising everything.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: sanchitmonga22

.github/workflows/secret-scan.yml

@@ -7,10 +7,16 @@ name: Secret Scanning
 # Uses the project-level .gitleaks.toml for RunAnywhere-specific patterns.
 #
 # Strategy:
-#   - Pull requests: scan ONLY the PR's commits (not full history). Catches
-#     new secrets without tripping on the 49 known historical findings.
-#   - Push to main: scan the pushed commits with a baseline file so known
-#     findings are skipped and only genuinely new leaks fail CI.
+#   - Pull requests: scan ONLY the PR's commits (base.sha..HEAD). Catches
+#     new secrets without tripping on historical findings.
+#   - Push to main: scan only the pushed commits (before..HEAD). Redundant
+#     with PR scan but catches direct pushes / merge commits.
+#
+# No baseline file is used. A baseline would leak metadata about known
+# secrets (file paths, commit SHAs, authors) into the committed repo —
+# pointing attackers at exactly where and when each secret was introduced.
+# Incremental diff-only scans achieve the same "ignore historical noise"
+# goal without that disclosure.
 #
 # Uses gitleaks CLI directly (MIT-licensed, free) instead of
 # gitleaks-action@v2 which requires a paid license for organizations.
@@ -42,33 +48,31 @@ jobs:
           sudo mv gitleaks /usr/local/bin/
           gitleaks version
 
-      - name: Run Gitleaks
+      - name: Run Gitleaks (incremental)
         env:
           EVENT_NAME: ${{ github.event_name }}
+          PR_BASE: ${{ github.event.pull_request.base.sha }}
+          PUSH_BEFORE: ${{ github.event.before }}
         run: |
+          set -euo pipefail
+
           CONFIG_ARG=""
           [ -f .gitleaks.toml ] && CONFIG_ARG="--config .gitleaks.toml"
 
+          # Pick a commit range based on the trigger event.
           if [ "$EVENT_NAME" = "pull_request" ]; then
-            # PR mode: only scan the commits in this PR, not full history.
-            # This naturally ignores all historical secrets without needing
-            # a baseline file (which can drift between local and CI clones).
-            echo "PR mode: scanning only PR commits"
-            gitleaks detect --source . $CONFIG_ARG --redact --verbose \
-              --log-opts="${{ github.event.pull_request.base.sha }}..HEAD"
+            RANGE="${PR_BASE}..HEAD"
+            echo "PR mode — scanning range: $RANGE"
           else
-            # Push-to-main mode: scan the pushed commits. Fall back to
-            # baseline-based full scan if the before SHA is unavailable.
-            echo "Push mode: scanning pushed commits"
-            BEFORE="${{ github.event.before }}"
-            if [ -n "$BEFORE" ] && [ "$BEFORE" != "0000000000000000000000000000000000000000" ]; then
-              gitleaks detect --source . $CONFIG_ARG --redact --verbose \
-                --log-opts="${BEFORE}..HEAD"
-            elif [ -f .gitleaksbaseline ]; then
-              gitleaks detect --source . $CONFIG_ARG --redact --verbose \
-                --baseline-path .gitleaksbaseline
+            # push to main. If PUSH_BEFORE is missing or zero (new branch,
+            # never-seen-before), fall back to just the top commit.
+            if [ -n "${PUSH_BEFORE:-}" ] && [ "$PUSH_BEFORE" != "0000000000000000000000000000000000000000" ]; then
+              RANGE="${PUSH_BEFORE}..HEAD"
             else
-              echo "::warning::No baseline and no before-SHA; running full scan"
-              gitleaks detect --source . $CONFIG_ARG --redact --verbose
+              RANGE="HEAD~1..HEAD"
             fi
+            echo "Push mode — scanning range: $RANGE"
           fi
+
+          gitleaks detect --source . $CONFIG_ARG --redact --verbose \
+            --log-opts="$RANGE"