fix: preserve both PR secret scans

fix: scope PR secrets scanning to changed files
2026-03-08 13:18:00 -05:00 · 2026-03-08 13:03:27 -05:00
2 changed files with 32 additions and 17 deletions
--- a/.github/actions/ensure-base-commit/action.yml
+++ b/.github/actions/ensure-base-commit/action.yml
@ -44,4 +44,5 @@ runs:
          exit 0
        fi

-        echo "Base commit still unavailable after fetch attempts: $BASE_SHA"
+        echo "::error::Base commit still unavailable after fetch attempts: $BASE_SHA"
+        exit 1
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -267,6 +267,13 @@ jobs:
        with:
          submodules: false

+      - name: Ensure secrets base commit
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/ensure-base-commit
+        with:
+          base-sha: ${{ github.event.pull_request.base.sha }}
+          fetch-ref: ${{ github.event.pull_request.base.ref }}
+
      - name: Setup Node environment
        uses: ./.github/actions/setup-node-env
        with:
@ -296,37 +303,44 @@ jobs:
          python -m pip install --upgrade pip
          python -m pip install pre-commit

-      - name: Detect secrets
+      - name: Detect secrets and private keys
        run: |
          set -euo pipefail

+          detect_secrets_exit=0
+          detect_private_key_exit=0
+
          if [ "${{ github.event_name }}" = "push" ]; then
            echo "Running full detect-secrets scan on push."
-            pre-commit run --all-files detect-secrets
+            pre-commit run --all-files detect-secrets || detect_secrets_exit=$?
+            pre-commit run --all-files detect-private-key || detect_private_key_exit=$?
+            test "$detect_secrets_exit" -eq 0 -a "$detect_private_key_exit" -eq 0
            exit 0
          fi

          BASE="${{ github.event.pull_request.base.sha }}"
-          changed_files=()
-          if git rev-parse --verify "$BASE^{commit}" >/dev/null 2>&1; then
-            while IFS= read -r path; do
-              [ -n "$path" ] || continue
-              [ -f "$path" ] || continue
-              changed_files+=("$path")
-            done < <(git diff --name-only --diff-filter=ACMR "$BASE" HEAD)
+          if ! git rev-parse --verify "$BASE^{commit}" >/dev/null 2>&1; then
+            echo "::error::PR base commit is unavailable after fetch attempts: $BASE"
+            echo "Refusing to fall back to a full-repo secrets scan for pull requests."
+            exit 1
          fi

+          changed_files=()
+          while IFS= read -r path; do
+            [ -n "$path" ] || continue
+            [ -f "$path" ] || continue
+            changed_files+=("$path")
+          done < <(git diff --name-only --diff-filter=ACMR "$BASE" HEAD)
+
          if [ "${#changed_files[@]}" -gt 0 ]; then
-            echo "Running detect-secrets on ${#changed_files[@]} changed file(s)."
-            pre-commit run detect-secrets --files "${changed_files[@]}"
+            echo "Running secret scans on ${#changed_files[@]} changed file(s)."
+            pre-commit run detect-secrets --files "${changed_files[@]}" || detect_secrets_exit=$?
+            pre-commit run detect-private-key --files "${changed_files[@]}" || detect_private_key_exit=$?
+            test "$detect_secrets_exit" -eq 0 -a "$detect_private_key_exit" -eq 0
          else
-            echo "Falling back to full detect-secrets scan."
-            pre-commit run --all-files detect-secrets
+            echo "No added/copied/modified/renamed files to scan in this pull request."
          fi

-      - name: Detect committed private keys
-        run: pre-commit run --all-files detect-private-key
-
      - name: Audit changed GitHub workflows with zizmor
        run: |
          set -euo pipefail
Author	SHA1	Message	Date
Tak Hoffman	d15f069d9f	fix: preserve both PR secret scans	2026-03-08 13:18:00 -05:00
Tak Hoffman	17b9a221d8	fix: scope PR secrets scanning to changed files	2026-03-08 13:03:27 -05:00