Skip to content

fix(ci): split TruffleHog scan by event type#49

Merged
huximaxi merged 1 commit into
mainfrom
fix/trufflehog-workflow
May 17, 2026
Merged

fix(ci): split TruffleHog scan by event type#49
huximaxi merged 1 commit into
mainfrom
fix/trufflehog-workflow

Conversation

@huximaxi
Copy link
Copy Markdown
Owner

@huximaxi huximaxi commented May 17, 2026

Summary

Hotfix for the secrets-scan workflow shipped in PR #48. TruffleHog went red on the post-merge push to main with `BASE and HEAD commits are the same. TruffleHog won't scan anything` (the action exits 1 by design when this happens).

Root cause

The original step passed `base: ${{ github.event.repository.default_branch }}` (which renders to the literal string `main`) and `head: HEAD` unconditionally. On a push event to main, both resolve to the same commit SHA. PR runs worked because PR events resolve `main` to the merge-base of the target branch, which differs from the PR HEAD.

Fix

Split the TruffleHog step into two event-conditional steps:

  • `pull_request` events: scan the diff between `github.event.pull_request.base.sha` and `github.event.pull_request.head.sha`. Fast, focused, scoped to what the PR introduces.
  • `push` to main and the weekly `schedule`: scan the full filesystem via `path: ./`. Slower but comprehensive; catches anything that slipped past the PR diff (rebases, force-pushes, action regressions).

Gitleaks is unchanged — it does not have the BASE==HEAD failure mode and runs the same way for both events.

Test plan

  • Workflow runs green on this PR (PR-event path)
  • After merge: workflow runs green on the post-merge push to main (push-event path, which was the failing case)
  • Weekly schedule fires successfully on the next Monday 06:17 UTC

Notes

This is the kind of CI configuration that is easier to verify by merging and watching than by speculation. If something else breaks, the iteration cost is one commit.

🤖 Generated with Claude Code
Provenance: agent-authored, human-reviewed

@huximaxi @claude
fix(ci): split TruffleHog scan by event type to avoid BASE==HEAD on push
9124c83 
The original step passed `base: main` and `head: HEAD` unconditionally.
On a push to main, the GitHub event resolves both to the same commit
SHA, and the trufflehog-action exits 1 by design ("BASE and HEAD
commits are the same. TruffleHog won't scan anything").

Fix: split into two conditional steps.

- On `pull_request` events: scan the diff between PR base SHA and PR
  head SHA. Fast, focused, catches secrets introduced in the PR.
- On `push` to main and on the weekly `schedule`: scan the entire
  filesystem via `path: ./`. Slower but comprehensive; catches
  anything that slipped past the PR diff (rebases, force-pushes, or
  the action's own future regressions).

Gitleaks unchanged; it does not have the BASE==HEAD failure mode.

Co-Authored-By: Vesper (Claude Opus 4.7) <noreply@anthropic.com>
Provenance: agent-authored, human-reviewed
@huximaxi huximaxi merged commit f72c236 into main May 17, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@huximaxi