add in the secret-scanning custom action

duncancrawford · duncancrawford · commit 04878347321a · 2025-06-13T10:16:41.000+01:00
additionally parameratise the PMD version
diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml
@@ -13,10 +13,12 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Install PMD CLI
+        env:
+          PMD_VERSION: '7.13.0'
         run: |
-          curl -L -o pmd-dist-7.13.0-bin.zip https://github.com/pmd/pmd/releases/download/pmd_releases%2F7.13.0/pmd-dist-7.13.0-bin.zip
-          unzip pmd-dist-7.13.0-bin.zip
-          mv pmd-bin-7.13.0 /opt/pmd
+          curl -L -o pmd-dist-$PMD_VERSION-bin.zip https://github.com/pmd/pmd/releases/download/pmd_releases%2F$PMD_VERSION/pmd-dist-$PMD_VERSION-bin.zip
+          unzip pmd-dist-$PMD_VERSION-bin.zip
+          mv pmd-bin-$PMD_VERSION /opt/pmd
           echo "/opt/pmd/bin" >> $GITHUB_PATH
 
       - name: Run PMD CLI analysis
@@ -57,15 +59,3 @@ jobs:
             echo "PMD violations found"
             exit 1
           fi
-
-  secret-scanning:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Secret Scanning
-        uses: trufflesecurity/trufflehog@main
-        with:
-          extra_args: --results=verified,unknown
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -36,6 +36,7 @@ jobs:
           languages: ${{ matrix.language }}
           queries: security-extended
 
+
       - uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
@@ -46,9 +47,14 @@ jobs:
         with:
           gradle-version: current
 
-      - name: Gradle Build
+      - name: Gradle Build and Publish
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gradle build cyclonedxBom -x test
+          gradle build cyclonedxBom -x test \
+            -DGITHUB_REPOSITORY=${{ github.repository }} \
+            -DGITHUB_ACTOR=${{ github.actor }} \
+            -DGITHUB_TOKEN=$GITHUB_TOKEN
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
diff --git a/.github/workflows/secret-scanning.yml b/.github/workflows/secret-scanning.yml
@@ -0,0 +1,22 @@
+name: Secret Scanning
+on:
+  pull_request:
+    branches:
+      - master
+      - main
+  schedule:
+    - cron: '0 4 * * 4' # Every Thursday at 04:00
+  workflow_dispatch:
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: hmcts/secrets-scanner@main
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          gitleaks_license: ${{ secrets.GITLEAKS_LICENSE }}
