feat: add gitleaks secret scanning to quality rails (#5)

tools/quality/templates/monorepo/.woodpecker.yml

@@ -4,11 +4,19 @@ when:
 
 variables:
   - &node_image "node:20-alpine"
+  - &gitleaks_image "ghcr.io/gitleaks/gitleaks:v8.24.0"
   - &install_deps |
       corepack enable
       npm ci --ignore-scripts
 
 steps:
+  # Secret scanning (runs in parallel with install, no deps)
+  secret-scan:
+    image: *gitleaks_image
+    commands:
+      - gitleaks git --redact --verbose --log-opts="HEAD~1..HEAD"
+    depends_on: []
+
   install:
     image: *node_image
     commands:
@@ -65,3 +73,4 @@ steps:
       - typecheck
       - test
       - security-audit
+      - secret-scan