Summary
In PR workflows, the secrets job computes changed files using github.event.pull_request.base.sha, but checkout uses fetch-depth: 1.
When the base commit is not present locally, the script falls back to pre-commit run --all-files detect-secrets, which can fail on known baseline noise unrelated to the PR diff.
Evidence
Recent PR run on #33298:
secrets step logs: Falling back to full detect-secrets scan.- checkout config shows
fetch-depth: 1
Expected
PR secrets job should reliably scan changed files only (or fetch enough history to do so), and avoid full-repo fallback caused purely by shallow history.
Proposed fix
- Add
./.github/actions/ensure-base-commit before the secrets diff path on PR events
- Use env-indirected GitHub context values in shell (
PR_BASE_SHA, PUSH_BEFORE_SHA) to keep zizmor/template-injection checks clean
Related
Summary
In PR workflows, the
secretsjob computes changed files usinggithub.event.pull_request.base.sha, but checkout usesfetch-depth: 1.When the base commit is not present locally, the script falls back to
pre-commit run --all-files detect-secrets, which can fail on known baseline noise unrelated to the PR diff.Evidence
Recent PR run on #33298:
secretsstep logs:Falling back to full detect-secrets scan.fetch-depth: 1Expected
PR
secretsjob should reliably scan changed files only (or fetch enough history to do so), and avoid full-repo fallback caused purely by shallow history.Proposed fix
./.github/actions/ensure-base-commitbefore the secrets diff path on PR eventsPR_BASE_SHA,PUSH_BEFORE_SHA) to keep zizmor/template-injection checks cleanRelated