|
39 | 39 | - name: Checkout repository |
40 | 40 | uses: actions/checkout@v4 |
41 | 41 | with: |
42 | | - fetch-depth: 0 |
43 | | - |
44 | | - - name: Fetch PR head commits |
45 | | - if: github.event_name != 'workflow_dispatch' |
46 | | - run: | |
47 | | - # Fetch PR commits using GitHub's merge ref (works for all PRs including forks) |
48 | | - git fetch origin +refs/pull/${{ github.event.pull_request.number }}/head:refs/remotes/origin/pr-head |
49 | | - echo "Fetched PR #${{ github.event.pull_request.number }} head commit: ${{ github.event.pull_request.head.sha }}" |
| 42 | + ref: ${{ github.event.pull_request.head.sha }} |
| 43 | + fetch-depth: 1 |
50 | 44 |
|
51 | 45 | - name: Setup exclude config |
52 | 46 | id: config |
|
73 | 67 | uses: trufflesecurity/trufflehog@main |
74 | 68 | continue-on-error: true |
75 | 69 | with: |
76 | | - base: ${{ github.event.pull_request.base.sha }} |
| 70 | + base: ${{ github.event.pull_request.head.sha }}~1 |
77 | 71 | head: ${{ github.event.pull_request.head.sha }} |
78 | 72 | extra_args: --json ${{ steps.config.outputs.exclude_args }} |
79 | 73 |
|
|
90 | 84 | SCAN_OUTPUT=$(docker run --rm -v "$(pwd)":/tmp -w /tmp \ |
91 | 85 | ghcr.io/trufflesecurity/trufflehog:latest \ |
92 | 86 | git file:///tmp/ \ |
93 | | - --since-commit ${{ github.event.pull_request.base.sha }} \ |
| 87 | + --since-commit ${{ github.event.pull_request.head.sha }}~1 \ |
94 | 88 | --branch ${{ github.event.pull_request.head.sha }} \ |
95 | 89 | --json \ |
96 | 90 | ${{ steps.config.outputs.exclude_args }} \ |
@@ -176,7 +170,7 @@ jobs: |
176 | 170 | if (!hasSecrets) { |
177 | 171 | // No secrets found |
178 | 172 | if (existing) { |
179 | | - // Update existing comment to show secrets are now resolved |
| 173 | + // Update to show secrets are now resolved (whether verified or unverified) |
180 | 174 | body = `${commentMarker} |
181 | 175 | ## :white_check_mark: Secret Scanning Passed |
182 | 176 |
|
|
0 commit comments