Check action secrets #1310

	name: Check action secrets

	on:
	push:
	paths:
	- '.github/workflows/*.yml'
	branches:
	- 'main'
	- 'master'
	schedule:
	- cron: '35 13 * * *' # sync-with-template: adjust
	workflow_dispatch: { }

	permissions:
	id-token: write

	concurrency:
	group: check-action-secrets-${{github.ref}}
	cancel-in-progress: true

	defaults:
	run:
	shell: bash

	jobs:
	check-action-secrets:
	name: Check action secrets
	runs-on: ubuntu-latest
	timeout-minutes: 5
	steps:
	- name: Get repository owner type
	id: owner-type
	run: \|
	REPO_JSON=$(curl -s "${{github.api_url}}/repos/${{github.repository}}" -H "Authorization: token ${{github.token}}")
	OWNER_TYPE=$(echo $REPO_JSON \| jq -r '.owner.type')
	OWNER_TYPE=$(echo "$OWNER_TYPE" \| tr '[:upper:]' '[:lower:]')
	echo "owner-type=$OWNER_TYPE" \| tee -a $GITHUB_OUTPUT

	- name: Get GitHub Token
	id: get-token
	uses: remal/github-repository-token-issuer@v1
	with:
	scopes: \|
	secrets: read
	${{steps.owner-type.outputs.owner-type == 'organization' && 'organization_secrets:read' \|\| ''}}

	- name: Check action secrets
	uses: remal-github-actions/check-action-secrets@v1
	with:
	githubToken: ${{steps.get-token.outputs.token}}

Provide feedback