fix: address PR review — button height, one-shot fetch, query cap #651
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Security Gate: Secret Scanning" | |
| on: | |
| push: | |
| branches: ["**"] | |
| pull_request: | |
| branches: [main, master] | |
| jobs: | |
| trufflehog: | |
| name: Scan for Verified Secrets | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read # Required to scan the code in the PR | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 # necessary to support the scoping requirements below | |
| - name: Resolve scan range | |
| id: scan_range | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| PR_BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| PUSH_BASE_SHA: ${{ github.event.before }} | |
| PUSH_HEAD_SHA: ${{ github.sha }} | |
| DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
| run: | | |
| set -euo pipefail | |
| zero_sha="0000000000000000000000000000000000000000" | |
| if [[ "$EVENT_NAME" == "pull_request" ]]; then | |
| base="$PR_BASE_SHA" | |
| head="$PR_HEAD_SHA" | |
| else | |
| base="$PUSH_BASE_SHA" | |
| head="$PUSH_HEAD_SHA" | |
| if [[ -z "$base" || "$base" == "$zero_sha" ]]; then | |
| base="origin/$DEFAULT_BRANCH" | |
| fi | |
| fi | |
| echo "base=$base" >> "$GITHUB_OUTPUT" | |
| echo "head=$head" >> "$GITHUB_OUTPUT" | |
| - name: TruffleHog OSS | |
| id: trufflehog | |
| # Use a concrete released ref that resolves in upstream action registry. | |
| # v3 (major tag) is not published by trufflesecurity/trufflehog. | |
| uses: trufflesecurity/trufflehog@v3.93.8 | |
| with: | |
| path: ./ | |
| base: ${{ steps.scan_range.outputs.base }} | |
| head: ${{ steps.scan_range.outputs.head }} | |
| extra_args: --only-verified --debug | |
| - name: Notify on Failure | |
| if: steps.trufflehog.outcome == 'failure' | |
| run: | | |
| echo "::error::Verified secrets found! This PR contains live credentials that must be rotated immediately." | |
| echo "::notice::If these secrets are already in the commit history, they cannot be removed via a simple removal commit/push. A repository owner can contact GitHub Support to purge the cached data: https://support.github.com/contact/private-information" | |
| exit 1 |