👷 More accurate trufflehog scan configuration

.github/workflows/check-leaks.yml

@@ -7,6 +7,12 @@ on:
       - "**.nix"
       - ".github/workflows/check-leaks.yml"
 
+permissions:
+  contents: read
+  id-token: write
+  issues: write
+  pull-requests: write
+
 jobs:
   deadnix:
     name: Run trufflehog
@@ -16,7 +22,18 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ github.ref_name }}
-          persist-credentials: false
+          fetch-depth: 0
 
-      - name: TruffleHog scan
+      - id: trufflehog
-        uses: trufflesecurity/trufflehog@v3.88.35
+        name: TruffleHog scan
+        uses: trufflesecurity/trufflehog@add-actions-cli-switch
+        continue-on-error: true
+        with:
+          path: ./
+          base: "${{ github.event.repository.default_branch }}"
+          head: HEAD
+          extra_args: --debug --only-verified
+
+      - name: Scan Results Status
+        if: steps.trufflehog.outcome == 'failure'
+        run: exit 1