Fix new secret scanning

[bgolding355]

Fix Detect secret scanning

There are two ways to look for new secrets based on the README for Yelp/detect-secrets. In this Github action, I managed to combine both together. While the combination mostly works, I have a (private) PR where it did not behave as expected. The two ways to do this are:

Using detect-secrets

detect-secrets scan --baseline .secrets.baseline

Using detect-secrets-hook

git ls-files -z | xargs -0 detect-secrets-hook --baseline .secrets.baseline

This approach has the benefit of mutating .secrets.baseline, which makes it easier to generate the new file.

I managed to combine these two approaches into:

git ls-files -z | xargs -0 detect-secrets scan $DETECT_SECRET_ADDITIONAL_ARGS --baseline "$BASELINE_FILE"

Testing locally, it seems that detect-secrets is much faster, but when I get around to implementing #6 I will switch to detect-secrets-hook.

[bgolding355]

@jsoref an example of the problem can be found in this (private) PR. https://github.com/GarnerCorp/lighthouse/pull/4566

The line:

git ls-files -z | xargs -0 detect-secrets scan $DETECT_SECRET_ADDITIONAL_ARGS --baseline "$BASELINE_FILE"

is creating a .secrets.baseline that is very strange, and the resulting JOBS SUMMARY is wrong. When you have time, I will show you this bug, and explain how this change fixes it.

I explained this in further detail in this (private) comment https://github.com/GarnerCorp/lighthouse/pull/4566#issuecomment-1184760230. I don't want to go into to much detail in a public repo