update curl for -f (#172)

The retry step we added didn't really change the failure state so I'm removing it. Instead, adding a -f to the curl and a delay and retry there directly that should be more resilient.

Author: geoffg-sentry

.github/workflows/secret-scan.yml

@@ -26,28 +26,11 @@ jobs:
           echo "latest_tag_name=$(curl -s https://api.github.com/repos/trufflesecurity/trufflehog/releases | jq -r '.[1].tag_name')" >> "$GITHUB_OUTPUT"
           echo "latest_release=$(curl -s https://api.github.com/repos/trufflesecurity/trufflehog/releases | jq -r '.[1].tag_name | ltrimstr("v")')" >> "$GITHUB_OUTPUT"
       - name: Download and verify TruffleHog release
-        id: download_and_verify
-        continue-on-error: true # retry in the next step if the download and verify fails
         run: |
-          curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
-          curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem
-          curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig
-          curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz
-
-          cosign verify-blob trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt \
-            --certificate trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem \
-            --signature trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig \
-            --certificate-identity-regexp 'https://github\.com/trufflesecurity/trufflehog/\.github/workflows/.+' \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
-
-          sha256sum --ignore-missing -c trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
-      - name: Retry
-        if: steps.download_and_verify.outcome != 'success'
-        run: |
-          curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
-          curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem
-          curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig
-          curl -sLO https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz
+          curl -fsSL --retry 3 --retry-delay 5 -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt
+          curl -fsSL --retry 3 --retry-delay 5 -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem
+          curl -fsSL --retry 3 --retry-delay 5 -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.sig
+          curl -fsSL --retry 3 --retry-delay 5 -O https://github.com/trufflesecurity/trufflehog/releases/download/${{ steps.trufflehog_release.outputs.latest_tag_name }}/trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_linux_amd64.tar.gz
 
           cosign verify-blob trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt \
             --certificate trufflehog_${{ steps.trufflehog_release.outputs.latest_release }}_checksums.txt.pem \