From 201d76f19d95c3269ed5c0002355ea8df683a131 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=ADas=20Insaurralde?= Date: Fri, 13 Mar 2026 18:43:59 -0300 Subject: [PATCH] chore(ci): migrate secrets-scan-daily workflow to GitHub keyless auth MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Matías Insaurralde --- .github/workflows/secrets-scan-daily.yml | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/.github/workflows/secrets-scan-daily.yml b/.github/workflows/secrets-scan-daily.yml index 52a07fe1d..601a0a5ed 100644 --- a/.github/workflows/secrets-scan-daily.yml +++ b/.github/workflows/secrets-scan-daily.yml @@ -6,29 +6,18 @@ on: - cron: '0 9 * * *' workflow_dispatch: # Allow manual triggering -permissions: - contents: read - id-token: write # Required for SLSA attestation +permissions: read-all jobs: - onboard_workflow: - name: Onboard Chainloop Workflow - uses: chainloop-dev/labs/.github/workflows/chainloop_onboard.yml@6bbd1c2b3022e48ae60afa0c2b90f3b6d31bcf11 - with: - project: "chainloop" - workflow_name: "daily-secrets-detection" - secrets: - api_token: ${{ secrets.CHAINLOOP_TOKEN }} - daily-secrets-scan: name: Daily Secrets Scan - needs: onboard_workflow runs-on: ubuntu-latest + permissions: + contents: read + id-token: write env: - CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }} - CHAINLOOP_WORKFLOW_NAME: ${{ needs.onboard_workflow.outputs.workflow_name }} - CHAINLOOP_PROJECT_NAME: ${{ needs.onboard_workflow.outputs.project_name }} - GITHUB_TOKEN: ${{ github.token }} + CHAINLOOP_WORKFLOW_NAME: "daily-secrets-detection" + CHAINLOOP_PROJECT_NAME: "chainloop" steps: - uses: actions/checkout@v4