feat(secret-scanning): Add auto retry (#171)

Jeffreyhung · web-flow · commit 5d88364f9bba · 2026-01-26T15:29:12.000-08:00
* Create .gitignore

* add auto retry
diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
@@ -26,6 +26,23 @@ jobs:
           echo "latest_tag_name=$(curl -s https://api.github.com/repos/trufflesecurity/trufflehog/releases | jq -r '.[1].tag_name')" >> "$GITHUB_OUTPUT"
           echo "latest_release=$(curl -s https://api.github.com/repos/trufflesecurity/trufflehog/releases | jq -r '.[1].tag_name | ltrimstr("v")')" >> "$GITHUB_OUTPUT"
       - name: Download and verify TruffleHog release
+        id: download_and_verify
+        continue-on-error: true # retry in the next step if the download and verify fails
+        run: |
+          curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
+          curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem
+          curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig
+          curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz
+
+          cosign verify-blob trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt \
+            --certificate trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem \
+            --signature trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig \
+            --certificate-identity-regexp 'https://github\.com/trufflesecurity/trufflehog/\.github/workflows/.+' \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+
+          sha256sum --ignore-missing -c trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
+      - name: Retry
+        if: steps.download_and_verify.outcome != 'success'
         run: |
           curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
           curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+.DS_Store
