From 33bc7d286d92474af54a05eed8003e133fd2483f Mon Sep 17 00:00:00 2001
From: Jeff Qiu <jzqiu@arista.com>
Date: Wed, 12 Jun 2024 08:51:23 -0400
Subject: [PATCH] ci: Public repo secret scanner (#704)

---------
Co-authored-by: Guillaume Mulocher <gmulocher@arista.com>
---
 .github/workflows/secret-scanner.yml | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
index 3a35e7e03..821095300 100644
--- a/.github/workflows/secret-scanner.yml
+++ b/.github/workflows/secret-scanner.yml
@@ -10,6 +10,21 @@ jobs:
   scan_secret:
     name: Scan incoming changes
     runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/aristanetworks/secret-scanner-service:main
+      options: --name sss-scanner
     steps:
+      - name: Checkout ${{ github.ref }}
+        # Hitting https://github.com/actions/checkout/issues/334 so trying v1
+        uses: actions/checkout@v1
+        with:
+          fetch-depth: 0
       - name: Run scanner
-        uses: aristanetworks/secret-scanner-service@main
+        run: |
+          git config --global --add safe.directory $GITHUB_WORKSPACE
+          scanner commit . github ${{ github.repository }} \
+             --markdown-file job_summary.md \
+             ${{ github.event_name == 'pull_request' && format('--since-commit {0}', github.event.pull_request.base.sha) || ''}}
+      - name: Write result to summary
+        run: cat ./job_summary.md >> $GITHUB_STEP_SUMMARY
+        if: ${{ always() }}