From 9d68c6768ae2985fddb9715e47fcc03afb559006 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Thu, 30 Apr 2026 02:43:00 -0700
Subject: [PATCH] ci: shallow checkout OpenGrep PR scan

---
 .github/workflows/opengrep-precise.yml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/opengrep-precise.yml b/.github/workflows/opengrep-precise.yml
index c5eec261b61..5c535adebb3 100644
--- a/.github/workflows/opengrep-precise.yml
+++ b/.github/workflows/opengrep-precise.yml
@@ -11,6 +11,7 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
     paths:
+      - ".github/actions/ensure-base-commit/**"
       - ".github/workflows/opengrep-precise.yml"
       - ".github/workflows/opengrep-precise-full.yml"
       - ".semgrepignore"
@@ -42,9 +43,17 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
+          ref: ${{ github.sha }}
+          fetch-depth: 1
+          fetch-tags: false
           persist-credentials: false
-          # `scripts/run-opengrep.sh --changed` diffs base...HEAD.
-          fetch-depth: 0
+          submodules: false
+
+      - name: Ensure PR base commit
+        uses: ./.github/actions/ensure-base-commit
+        with:
+          base-sha: ${{ github.event.pull_request.base.sha }}
+          fetch-ref: ${{ github.event.pull_request.base.ref }}
 
       - name: Install opengrep
         env: