ci: fix standalone-CI fallout — SHA-pin actions, de-trip secret scann… #1227
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: MPL-2.0 | |
| # | |
| # Standalone secret scan. Previously a thin caller of | |
| # `hyperpolymath/standards/.github/workflows/secret-scanner-reusable.yml` | |
| # with `secrets: inherit`; that cross-repo dependency startup-failed (the | |
| # caller's `concurrency:` block stacked on the reusable's — the BP008 class, | |
| # see spark-theatre-gate.yml) and required inheriting org secrets. This | |
| # self-contained version runs a pure-shell high-confidence scan | |
| # (tools/ci/secret-scan-standalone.sh), needs no secrets, and as a normal | |
| # workflow can keep its concurrency block. | |
| name: Secret Scanner | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| scan: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 | |
| - name: Run standalone secret scan | |
| run: ./tools/ci/secret-scan-standalone.sh |