From 17b9a221d8bdbaf1a7b70ca31c89b8c3652ee569 Mon Sep 17 00:00:00 2001
From: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
Date: Sun, 8 Mar 2026 13:03:27 -0500
Subject: [PATCH] fix: scope PR secrets scanning to changed files

---
 .github/workflows/ci.yml | 37 +++++++++++++++++++++++--------------
 1 file changed, 23 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 872228e006f..ecab46aabe0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -267,6 +267,13 @@ jobs:
         with:
           submodules: false
 
+      - name: Ensure secrets base commit
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/ensure-base-commit
+        with:
+          base-sha: ${{ github.event.pull_request.base.sha }}
+          fetch-ref: ${{ github.event.pull_request.base.ref }}
+
       - name: Setup Node environment
         uses: ./.github/actions/setup-node-env
         with:
@@ -296,37 +303,39 @@ jobs:
           python -m pip install --upgrade pip
           python -m pip install pre-commit
 
-      - name: Detect secrets
+      - name: Detect secrets and private keys
         run: |
           set -euo pipefail
 
           if [ "${{ github.event_name }}" = "push" ]; then
             echo "Running full detect-secrets scan on push."
             pre-commit run --all-files detect-secrets
+            pre-commit run --all-files detect-private-key
             exit 0
           fi
 
           BASE="${{ github.event.pull_request.base.sha }}"
-          changed_files=()
-          if git rev-parse --verify "$BASE^{commit}" >/dev/null 2>&1; then
-            while IFS= read -r path; do
-              [ -n "$path" ] || continue
-              [ -f "$path" ] || continue
-              changed_files+=("$path")
-            done < <(git diff --name-only --diff-filter=ACMR "$BASE" HEAD)
+          if ! git rev-parse --verify "$BASE^{commit}" >/dev/null 2>&1; then
+            echo "::error::PR base commit is unavailable after fetch attempts: $BASE"
+            echo "Refusing to fall back to a full-repo secrets scan for pull requests."
+            exit 1
           fi
 
+          changed_files=()
+          while IFS= read -r path; do
+            [ -n "$path" ] || continue
+            [ -f "$path" ] || continue
+            changed_files+=("$path")
+          done < <(git diff --name-only --diff-filter=ACMR "$BASE" HEAD)
+
           if [ "${#changed_files[@]}" -gt 0 ]; then
-            echo "Running detect-secrets on ${#changed_files[@]} changed file(s)."
+            echo "Running secret scans on ${#changed_files[@]} changed file(s)."
             pre-commit run detect-secrets --files "${changed_files[@]}"
+            pre-commit run detect-private-key --files "${changed_files[@]}"
           else
-            echo "Falling back to full detect-secrets scan."
-            pre-commit run --all-files detect-secrets
+            echo "No added/copied/modified/renamed files to scan in this pull request."
           fi
 
-      - name: Detect committed private keys
-        run: pre-commit run --all-files detect-private-key
-
       - name: Audit changed GitHub workflows with zizmor
         run: |
           set -euo pipefail