fix: scope PR secrets scanning to changed files

2026-03-12 07:20:45 +00:00 · 2026-03-08 13:03:27 -05:00
parent 74624e619d
commit 17b9a221d8
1 changed files with 23 additions and 14 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -267,6 +267,13 @@ jobs:
        with:
          submodules: false

+      - name: Ensure secrets base commit
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/ensure-base-commit
+        with:
+          base-sha: ${{ github.event.pull_request.base.sha }}
+          fetch-ref: ${{ github.event.pull_request.base.ref }}
+
      - name: Setup Node environment
        uses: ./.github/actions/setup-node-env
        with:
@@ -296,37 +303,39 @@ jobs:
          python -m pip install --upgrade pip
          python -m pip install pre-commit

-      - name: Detect secrets
+      - name: Detect secrets and private keys
        run: |
          set -euo pipefail

          if [ "${{ github.event_name }}" = "push" ]; then
            echo "Running full detect-secrets scan on push."
            pre-commit run --all-files detect-secrets
+            pre-commit run --all-files detect-private-key
            exit 0
          fi

          BASE="${{ github.event.pull_request.base.sha }}"
-          changed_files=()
-          if git rev-parse --verify "$BASE^{commit}" >/dev/null 2>&1; then
-            while IFS= read -r path; do
-              [ -n "$path" ] || continue
-              [ -f "$path" ] || continue
-              changed_files+=("$path")
-            done < <(git diff --name-only --diff-filter=ACMR "$BASE" HEAD)
+          if ! git rev-parse --verify "$BASE^{commit}" >/dev/null 2>&1; then
+            echo "::error::PR base commit is unavailable after fetch attempts: $BASE"
+            echo "Refusing to fall back to a full-repo secrets scan for pull requests."
+            exit 1
          fi

+          changed_files=()
+          while IFS= read -r path; do
+            [ -n "$path" ] || continue
+            [ -f "$path" ] || continue
+            changed_files+=("$path")
+          done < <(git diff --name-only --diff-filter=ACMR "$BASE" HEAD)
+
          if [ "${#changed_files[@]}" -gt 0 ]; then
-            echo "Running detect-secrets on ${#changed_files[@]} changed file(s)."
+            echo "Running secret scans on ${#changed_files[@]} changed file(s)."
            pre-commit run detect-secrets --files "${changed_files[@]}"
+            pre-commit run detect-private-key --files "${changed_files[@]}"
          else
-            echo "Falling back to full detect-secrets scan."
-            pre-commit run --all-files detect-secrets
+            echo "No added/copied/modified/renamed files to scan in this pull request."
          fi

-      - name: Detect committed private keys
-        run: pre-commit run --all-files detect-private-key
-
      - name: Audit changed GitHub workflows with zizmor
        run: |
          set -euo pipefail