From e67cc90b014bec0e355d60a21ad5d632f8f8cae4 Mon Sep 17 00:00:00 2001
From: Jeffrey Hung <17494876+Jeffreyhung@users.noreply.github.com>
Date: Mon, 26 Jan 2026 09:09:38 -0800
Subject: [PATCH 1/2] Create .gitignore

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 .gitignore

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..e43b0f9
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.DS_Store

From 16ba179db8df1ad6aa6d78009e77c409f3336400 Mon Sep 17 00:00:00 2001
From: Jeffrey Hung <17494876+Jeffreyhung@users.noreply.github.com>
Date: Mon, 26 Jan 2026 13:54:45 -0800
Subject: [PATCH 2/2] add auto retry

---
 .github/workflows/secret-scan.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
index f2e9e9e..0849153 100644
--- a/.github/workflows/secret-scan.yml
+++ b/.github/workflows/secret-scan.yml
@@ -26,6 +26,23 @@ jobs:
           echo "latest_tag_name=$(curl -s https://api.github.com/repos/trufflesecurity/trufflehog/releases | jq -r '.[1].tag_name')" >> "$GITHUB_OUTPUT"
           echo "latest_release=$(curl -s https://api.github.com/repos/trufflesecurity/trufflehog/releases | jq -r '.[1].tag_name | ltrimstr("v")')" >> "$GITHUB_OUTPUT"
       - name: Download and verify TruffleHog release
+        id: download_and_verify
+        continue-on-error: true # retry in the next step if the download and verify fails
+        run: |
+          curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
+          curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem
+          curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig
+          curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz
+
+          cosign verify-blob trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt \
+            --certificate trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem \
+            --signature trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig \
+            --certificate-identity-regexp 'https://github\.com/trufflesecurity/trufflehog/\.github/workflows/.+' \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+
+          sha256sum --ignore-missing -c trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
+      - name: Retry
+        if: steps.download_and_verify.outcome != 'success'
         run: |
           curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
           curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem