Skip to content

Add secrets scanning workflow for PR checks#278

Closed
kszarek wants to merge 1 commit intomasterfrom
add-secrets-scanning-workflow
Closed

Add secrets scanning workflow for PR checks#278
kszarek wants to merge 1 commit intomasterfrom
add-secrets-scanning-workflow

Conversation

@kszarek
Copy link
Member

@kszarek kszarek commented Jan 8, 2026

Add required secrets scanning workflow that runs on pull requests to detect accidentally committed secrets.

Changes

  • Added .github/workflows/secrets-scan-on-pr.yaml
  • Uses detect-secrets-action to scan for secrets in PRs
  • Runs on pull requests to main/master branches
  • Required check for all PRs as per repository requirements

Testing

The workflow will automatically run on this PR to verify it works correctly.

@kszarek kszarek requested a review from a team as a code owner January 8, 2026 10:38
@kszarek
Add secrets scanning workflow for PR checks
9c469e4 
- Add secrets-scan-on-pr.yaml workflow that runs on pull requests
- Uses detect-secrets-action to scan for accidentally committed secrets
- Required for all PRs as per repository requirements
@kszarek kszarek force-pushed the add-secrets-scanning-workflow branch from cc92838 to 9c469e4 Compare January 8, 2026 10:40
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 8, 2026
View reviewed changes
.github/workflows/secrets-scan-on-pr.yaml
Comment on lines +8 to +9
uses: AirHelp/gh-actions/.github/workflows/secrets-scan-on-pr.yaml@master
secrets: inherit

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 29 days ago

In general, the problem is fixed by explicitly adding a permissions block to the workflow or to the specific job so that the GITHUB_TOKEN has only the minimum required access. Since this workflow only defines a single job that calls a reusable workflow, and we don’t know any need for write access from this file, we can safely restrict permissions to read-only for repository contents.

The best minimal change is to add a permissions block at the workflow (top) level, just under name: Secrets Scan. This will apply to all jobs in this workflow (including scan) unless they override permissions themselves. A conservative least-privilege choice is contents: read, which allows the reusable workflow to read repository contents while preventing write operations with the GITHUB_TOKEN from this workflow’s context.

Concretely, in .github/workflows/secrets-scan-on-pr.yaml, insert:

permissions:
  contents: read

between line 1 (name: Secrets Scan) and line 3 (on:). No additional imports, methods, or definitions are needed because this is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/secrets-scan-on-pr.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/secrets-scan-on-pr.yaml b/.github/workflows/secrets-scan-on-pr.yaml
--- a/.github/workflows/secrets-scan-on-pr.yaml
+++ b/.github/workflows/secrets-scan-on-pr.yaml
@@ -1,4 +1,6 @@
 name: Secrets Scan
+permissions:
+  contents: read
 
 on:
   pull_request:
EOF
@@ -1,4 +1,6 @@
name: Secrets Scan
permissions:
contents: read

on:
pull_request:
Copilot is powered by AI and may make mistakes. Always verify output.
@jadrol jadrol self-requested a review January 8, 2026 10:47
@kszarek kszarek closed this Jan 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kolodziejczykmaciek Kolodziejczykmaciek Awaiting requested review from Kolodziejczykmaciek Kolodziejczykmaciek is a code owner automatically assigned from AirHelp/devops

@lgd-michallasisz lgd-michallasisz Awaiting requested review from lgd-michallasisz lgd-michallasisz is a code owner automatically assigned from AirHelp/devops

@jadrol jadrol Awaiting requested review from jadrol

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kszarek @jadrol