diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml
index 8c0d340..63e7540 100644
--- a/.github/workflows/secrets-scan.yml
+++ b/.github/workflows/secrets-scan.yml
@@ -13,9 +13,10 @@ jobs:
           VERSION: 8.18.1-patch1
           # From https://github.com/taiki45/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_checksums.txt
           SHA256_SUM: aed536718ac444b6727754ca2e34e243ec1aee8bce928975233709d57bc61387
+        # Explicitly specifing `bash` changes behavior: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell
         shell: bash
         run: |
-          set -euxo pipefail
+          set -x
           curl -L "https://github.com/taiki45/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_${TARGET}.tar.gz" -O
           echo "${SHA256_SUM} gitleaks_${VERSION}_${TARGET}.tar.gz" | sha256sum --check
           # Generate `gitleaks` binary
@@ -29,7 +30,7 @@ jobs:
           SHA256_SUM: 162f2fdb98abba26e05be60137a48b98feec3e3a6e48e68bc0c219a0f32fbd0f
         shell: bash
         run: |
-          set -euxo pipefail
+          set -x
           curl -L "https://github.com/Finatext/gitleaks-support/releases/download/v${VERSION}/gitleaks-support-${TARGET}.tar.gz" -O
           echo "${SHA256_SUM} gitleaks-support-${TARGET}.tar.gz" | sha256sum --check
           tar --extract --gzip --file "gitleaks-support-${TARGET}.tar.gz" --verbose
@@ -38,7 +39,9 @@ jobs:
       - name: Scan secrets
         env:
           REPORT_PATH: tmp/report.json
+        shell: bash
         run: |
+          set -x
           mkdir -p tmp
           gitleaks detect --verbose --exit-code=0 --no-banner --config=dev/gitleaks.toml --report-path="${REPORT_PATH}"
           gitleaks-support apply --config-path=dev/gitleaks-allowlist.toml --report-path="${REPORT_PATH}"