# Secret-scanner workflow from Arista Networks.
on:
  pull_request:
    types: [synchronize]
  push:
    branches:
      - main
name: Secret Scanner (go/secret-scanner)
jobs:
  scan_secret:
    name: Scan incoming changes
    runs-on: ubuntu-latest
    container:
      image: ghcr.io/aristanetworks/secret-scanner-service:main
      options: --name sss-scanner
    steps:
      - name: Checkout ${{ github.ref }}
        # Hitting https://github.com/actions/checkout/issues/334 so trying v1
        uses: actions/checkout@v1
        with:
          fetch-depth: 0
      - name: Run scanner
        run: |
          git config --global --add safe.directory $GITHUB_WORKSPACE
          scanner commit . github ${{ github.repository }} \
             --markdown-file job_summary.md \
             ${{ github.event_name == 'pull_request' && format('--since-commit {0}', github.event.pull_request.base.sha) || ''}}
      - name: Write result to summary
        run: cat ./job_summary.md >> $GITHUB_STEP_SUMMARY
        if: ${{ always() }}