fix: preserve both PR secret scans

2026-03-12 07:20:45 +00:00 · 2026-03-08 13:18:00 -05:00
parent 17b9a221d8
commit d15f069d9f
2 changed files with 11 additions and 5 deletions
--- a/.github/actions/ensure-base-commit/action.yml
+++ b/.github/actions/ensure-base-commit/action.yml
@@ -44,4 +44,5 @@ runs:
          exit 0
        fi

-        echo "Base commit still unavailable after fetch attempts: $BASE_SHA"
+        echo "::error::Base commit still unavailable after fetch attempts: $BASE_SHA"
+        exit 1
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -307,10 +307,14 @@ jobs:
        run: |
          set -euo pipefail

+          detect_secrets_exit=0
+          detect_private_key_exit=0
+
          if [ "${{ github.event_name }}" = "push" ]; then
            echo "Running full detect-secrets scan on push."
-            pre-commit run --all-files detect-secrets
-            pre-commit run --all-files detect-private-key
+            pre-commit run --all-files detect-secrets || detect_secrets_exit=$?
+            pre-commit run --all-files detect-private-key || detect_private_key_exit=$?
+            test "$detect_secrets_exit" -eq 0 -a "$detect_private_key_exit" -eq 0
            exit 0
          fi

@@ -330,8 +334,9 @@ jobs:

          if [ "${#changed_files[@]}" -gt 0 ]; then
            echo "Running secret scans on ${#changed_files[@]} changed file(s)."
-            pre-commit run detect-secrets --files "${changed_files[@]}"
-            pre-commit run detect-private-key --files "${changed_files[@]}"
+            pre-commit run detect-secrets --files "${changed_files[@]}" || detect_secrets_exit=$?
+            pre-commit run detect-private-key --files "${changed_files[@]}" || detect_private_key_exit=$?
+            test "$detect_secrets_exit" -eq 0 -a "$detect_private_key_exit" -eq 0
          else
            echo "No added/copied/modified/renamed files to scan in this pull request."
          fi