From 1d3d46f9198f5e0ee804e9ce70c08d6d0b9667e4 Mon Sep 17 00:00:00 2001
From: dblinkhorn <dblinkhorn@gmail.com>
Date: Mon, 4 May 2026 15:14:49 -0700
Subject: [PATCH 1/2] fix(trufflehog): make grafana bench metrics steps
 non-blocking

---
 .github/workflows/reusable-trufflehog.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/reusable-trufflehog.yml b/.github/workflows/reusable-trufflehog.yml
index 1fd37f23..c37d581d 100644
--- a/.github/workflows/reusable-trufflehog.yml
+++ b/.github/workflows/reusable-trufflehog.yml
@@ -397,6 +397,7 @@ jobs:
       id-token: write
     steps:
       - name: Get Prometheus secrets from Vault
+        continue-on-error: true
         uses: grafana/shared-workflows/actions/get-vault-secrets@f1614b210386ac420af6807a997ac7f6d96e477a # get-vault-secrets/v1.3.1
         with:
           common_secrets: |
@@ -405,11 +406,13 @@ jobs:
             PROMETHEUS_PASSWORD=grafana-bench:prometheus_token
 
       - name: Download TruffleHog scan artifact
+        continue-on-error: true
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: trufflehog_scan
 
       - name: Send TruffleHog metrics to Prometheus via Grafana Bench
+        continue-on-error: true
         env:
           BENCH_SERVICE: ${{ format('grafana-{0}', github.event.repository.name) }}
           BENCH_SUITE_NAME: ${{ github.event.repository.name }}/trufflehog

From ff11502e094afe66fc7f09f2e6e3fe09319a3a9d Mon Sep 17 00:00:00 2001
From: dblinkhorn <dblinkhorn@gmail.com>
Date: Thu, 7 May 2026 22:23:06 -0700
Subject: [PATCH 2/2] move continue-on-error to job level

---
 .github/workflows/reusable-trufflehog.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/reusable-trufflehog.yml b/.github/workflows/reusable-trufflehog.yml
index c37d581d..e2f3ffdd 100644
--- a/.github/workflows/reusable-trufflehog.yml
+++ b/.github/workflows/reusable-trufflehog.yml
@@ -388,6 +388,7 @@ jobs:
 
   grafana-bench:
     name: Send TruffleHog metrics to Prometheus via Grafana Bench
+    continue-on-error: true
     needs: [trufflehog-scan]
     # Only run for grafana org and non-fork PRs (fork PRs have no OIDC/Vault access).
     if: ${{ github.repository_owner == 'grafana' && (github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork) && inputs.send-bench-metrics && always() && !cancelled() && (needs.trufflehog-scan.result == 'success' || needs.trufflehog-scan.result == 'failure') }}
@@ -397,7 +398,6 @@ jobs:
       id-token: write
     steps:
       - name: Get Prometheus secrets from Vault
-        continue-on-error: true
         uses: grafana/shared-workflows/actions/get-vault-secrets@f1614b210386ac420af6807a997ac7f6d96e477a # get-vault-secrets/v1.3.1
         with:
           common_secrets: |
@@ -406,13 +406,11 @@ jobs:
             PROMETHEUS_PASSWORD=grafana-bench:prometheus_token
 
       - name: Download TruffleHog scan artifact
-        continue-on-error: true
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: trufflehog_scan
 
       - name: Send TruffleHog metrics to Prometheus via Grafana Bench
-        continue-on-error: true
         env:
           BENCH_SERVICE: ${{ format('grafana-{0}', github.event.repository.name) }}
           BENCH_SUITE_NAME: ${{ github.event.repository.name }}/trufflehog