Skip to content

Commit c161662

Browse files
Better secret-scan redundancy (#173)
* update secret-scan Making authenticated calls to GH API to reduce possible unauth rate limits, switched to the github binary for better retries * Update secret-scan.yml retry all errors on download
1 parent eb07400 commit c161662

1 file changed

Lines changed: 17 additions & 12 deletions

File tree

.github/workflows/secret-scan.yml

Lines changed: 17 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -14,23 +14,28 @@ jobs:
1414
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
1515
- name: Install Cosign
1616
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
17-
- name: Pin Trufflehog to a know good release
17+
- name: Pin Trufflehog to a known good release
1818
id: trufflehog_release
1919
shell: bash
20-
# run: |
21-
# LATEST_TAG_NAME=$(curl -s https://api.github.com/repos/trufflesecurity/trufflehog/releases/latest | jq -r .name)
22-
# LATEST_RELEASE=$(echo ${LATEST_TAG_NAME:1})
23-
# echo "latest_tag_name=$LATEST_TAG_NAME" >> "$GITHUB_OUTPUT"
24-
# echo "latest_release=$LATEST_RELEASE" >> "$GITHUB_OUTPUT"
20+
env:
21+
GH_TOKEN: ${{ github.token }}
2522
run: |
26-
echo "latest_tag_name=$(curl -s https://api.github.com/repos/trufflesecurity/trufflehog/releases | jq -r '.[1].tag_name')" >> "$GITHUB_OUTPUT"
27-
echo "latest_release=$(curl -s https://api.github.com/repos/trufflesecurity/trufflehog/releases | jq -r '.[1].tag_name | ltrimstr("v")')" >> "$GITHUB_OUTPUT"
23+
LATEST_TAG_NAME=$(gh api repos/trufflesecurity/trufflehog/releases --jq '.[1].tag_name')
24+
25+
if [[ -z "$LATEST_TAG_NAME" || "$LATEST_TAG_NAME" == "null" ]]; then
26+
echo "::error::Failed to fetch TruffleHog release info"
27+
exit 1
28+
fi
29+
30+
echo "Using TruffleHog version: $LATEST_TAG_NAME"
31+
echo "latest_tag_name=$LATEST_TAG_NAME" >> "$GITHUB_OUTPUT"
32+
echo "latest_release=${LATEST_TAG_NAME#v}" >> "$GITHUB_OUTPUT"
2833
- name: Download and verify TruffleHog release
2934
run: |
30-
curl -fsSL --retry 3 --retry-delay 5 -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
31-
curl -fsSL --retry 3 --retry-delay 5 -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem
32-
curl -fsSL --retry 3 --retry-delay 5 -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig
33-
curl -fsSL --retry 3 --retry-delay 5 -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz
35+
curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
36+
curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem
37+
curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig
38+
curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz
3439
3540
cosign verify-blob trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt \
3641
--certificate trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem \

0 commit comments

Comments
 (0)