fix: Docker sandbox agent execution + role template rendering + --model propagation for non-Claude CLIs #1742
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: trufflehog (secret scanning) | |
| # Scan commits and PRs for accidentally-committed secrets (API keys, | |
| # private keys, tokens). trufflehog is OSS / free for orgs too - | |
| # gitleaks-action requires a paid GITLEAKS_LICENSE for organization | |
| # accounts, so we use trufflehog as the public-org-friendly alternative. | |
| # | |
| # Ref: #1273 | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| schedule: | |
| - cron: "23 6 * * 1" # Weekly, Monday 06:23 UTC | |
| workflow_dispatch: | |
| concurrency: | |
| group: trufflehog-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| trufflehog: | |
| name: trufflehog scan | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| # Full history so trufflehog can scan all commits introduced by | |
| # the PR (it diffs base..head). | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Run trufflehog | |
| uses: trufflesecurity/trufflehog@f446421baf832d6356c42c1743d99abff52ff334 # v3.95.7 | |
| with: | |
| # Only report verified secrets - keeps signal-to-noise high and | |
| # lets the job act as a hard gate. Unknown / unverified results | |
| # are dominated by test-fixture connection strings like | |
| # `postgres://user:pass@host` that trufflehog cannot probe but | |
| # are not real credentials; gating on those forced every push | |
| # to main red without a real leak. | |
| extra_args: --results=verified |