name: Forbid .env in repo

on:
  pull_request:
  push:

jobs:
  check-no-env:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Fail if .env exists
        run: |
          if [ -f .env ]; then
            echo ".env exists in repository root — failing build to avoid accidental secret exposure" >&2
            exit 1
          fi
        shell: bash