Skip to content

Commit 0a33191

Browse files
committed
PDP-684: updated workflow to checkout only head commit
1 parent 0666566 commit 0a33191

File tree

1 file changed

+5
-11
lines changed

1 file changed

+5
-11
lines changed

.github/workflows/trufflehog-scan.yml

Lines changed: 5 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -39,14 +39,8 @@ jobs:
3939
- name: Checkout repository
4040
uses: actions/checkout@v4
4141
with:
42-
fetch-depth: 0
43-
44-
- name: Fetch PR head commits
45-
if: github.event_name != 'workflow_dispatch'
46-
run: |
47-
# Fetch PR commits using GitHub's merge ref (works for all PRs including forks)
48-
git fetch origin +refs/pull/${{ github.event.pull_request.number }}/head:refs/remotes/origin/pr-head
49-
echo "Fetched PR #${{ github.event.pull_request.number }} head commit: ${{ github.event.pull_request.head.sha }}"
42+
ref: ${{ github.event.pull_request.head.sha }}
43+
fetch-depth: 1
5044

5145
- name: Setup exclude config
5246
id: config
@@ -73,7 +67,7 @@ jobs:
7367
uses: trufflesecurity/trufflehog@main
7468
continue-on-error: true
7569
with:
76-
base: ${{ github.event.pull_request.base.sha }}
70+
base: ${{ github.event.pull_request.head.sha }}~1
7771
head: ${{ github.event.pull_request.head.sha }}
7872
extra_args: --json ${{ steps.config.outputs.exclude_args }}
7973

@@ -90,7 +84,7 @@ jobs:
9084
SCAN_OUTPUT=$(docker run --rm -v "$(pwd)":/tmp -w /tmp \
9185
ghcr.io/trufflesecurity/trufflehog:latest \
9286
git file:///tmp/ \
93-
--since-commit ${{ github.event.pull_request.base.sha }} \
87+
--since-commit ${{ github.event.pull_request.head.sha }}~1 \
9488
--branch ${{ github.event.pull_request.head.sha }} \
9589
--json \
9690
${{ steps.config.outputs.exclude_args }} \
@@ -176,7 +170,7 @@ jobs:
176170
if (!hasSecrets) {
177171
// No secrets found
178172
if (existing) {
179-
// Update existing comment to show secrets are now resolved
173+
// Update to show secrets are now resolved (whether verified or unverified)
180174
body = `${commentMarker}
181175
## :white_check_mark: Secret Scanning Passed
182176

0 commit comments

Comments
 (0)