HodeTech · cemililik · May 25, 2026
diff --git a/.github/workflows/action-test.yml b/.github/workflows/action-test.yml
@@ -142,7 +142,9 @@ jobs:
           set -uo pipefail
           mkdir -p _fx
           printf 'AWS_ACCESS_KEY_ID=%s%s\n' 'AKIA' 'IOSFODNN7EXAMPLE' > _fx/leak.env
-          out="$("${RUNNER_TEMP}/leakwatch" scan fs _fx --format github --no-verify 2>/dev/null)"
+          # leakwatch exits 1 on findings; `|| true` so the capture doesn't abort
+          # the step under bash -e (GitHub's default shell flags).
+          out="$("${RUNNER_TEMP}/leakwatch" scan fs _fx --format github --no-verify 2>/dev/null || true)"
           echo "$out"
           echo "$out" | grep -q '^::error .*aws-access-key-id' \
             || { echo "::error::expected an ::error annotation for aws-access-key-id"; exit 1; }

diff --git a/action.yml b/action.yml
@@ -289,6 +289,10 @@ runs:
         # Do NOT echo the assembled args: path/extra-args may carry credentials
         # (tokens, authenticated URLs) that GitHub log masking would not catch.
         echo "Running leakwatch scan (type=${INPUT_SCAN_TYPE}, format=${INPUT_FORMAT})"
+        # GitHub invokes bash with -e; findings legitimately exit 1, so disable
+        # errexit around the scan and map the exit code ourselves below (otherwise
+        # the step would abort here and fail-on-findings: false would be ignored).
+        set +e
         leakwatch "${ARGS[@]}"
         EXIT_CODE=$?