diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 2a5f413b1..811839747 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -51,17 +51,14 @@ jobs:
       - uses: actions/checkout@v4
       - run: semgrep --config=hack/semgrep-rules/detectors.yaml pkg/detectors/
   checksecretparts:
-    # Warning-only: reports detector packages that construct detectors.Result
-    # without populating SecretParts. Flip to hard-fail (drop continue-on-error
-    # and run with -fail) after every detector has been migrated. See
-    # hack/checksecretparts/README.md.
-    name: checksecretparts (warning)
+    # Reports detector packages that construct detectors.Result without
+    # populating SecretParts. See hack/checksecretparts/README.md.
+    name: checksecretparts
     runs-on: ubuntu-latest
-    continue-on-error: true
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
           go-version: "1.25"
       - name: Run checksecretparts
-        run: go run ./hack/checksecretparts ./pkg/detectors
+        run: go run ./hack/checksecretparts -fail ./pkg/detectors