ci: shallow checkout OpenGrep PR scan

2026-05-06 09:40:43 +00:00 · 2026-04-30 02:43:00 -07:00
parent 9f0bf1c71e
commit 9d68c6768a
1 changed files with 11 additions and 2 deletions
--- a/.github/workflows/opengrep-precise.yml
+++ b/.github/workflows/opengrep-precise.yml
@@ -11,6 +11,7 @@ on:
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]
    paths:
+      - ".github/actions/ensure-base-commit/**"
      - ".github/workflows/opengrep-precise.yml"
      - ".github/workflows/opengrep-precise-full.yml"
      - ".semgrepignore"
@@ -42,9 +43,17 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v6
        with:
+          ref: ${{ github.sha }}
+          fetch-depth: 1
+          fetch-tags: false
          persist-credentials: false
-          # `scripts/run-opengrep.sh --changed` diffs base...HEAD.
-          fetch-depth: 0
+          submodules: false
+
+      - name: Ensure PR base commit
+        uses: ./.github/actions/ensure-base-commit
+        with:
+          base-sha: ${{ github.event.pull_request.base.sha }}
+          fetch-ref: ${{ github.event.pull_request.base.ref }}

      - name: Install opengrep
        env: