Skip to content

fix: broken gitleaks ci for fork#158

Merged
jithin23-kv merged 1 commit into
KeyValueSoftwareSystems:masterfrom
jithin23-kv:fix/gitleaks-i-fix-for-forks
Jul 3, 2026
Merged

fix: broken gitleaks ci for fork#158
jithin23-kv merged 1 commit into
KeyValueSoftwareSystems:masterfrom
jithin23-kv:fix/gitleaks-i-fix-for-forks

Conversation

@jithin23-kv

@jithin23-kv jithin23-kv commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Problem

Fork PRs failed the Secret Scan check — pull_request events don't get repo/org secrets when the PR comes from a fork, so GITLEAKS_LICENSE was empty and gitleaks errored out.

Solution

Switch the workflow to pull_request_target so it runs with base-repo secrets, while explicitly checking out the PR's head SHA (since pull_request_target defaults to the base branch) and scoping GITHUB_TOKEN to read-only.

Changes

  • .github/workflows/secret-scan.yml

Summary by CodeRabbit

  • Bug Fixes
    • Improved the reliability of automated security checks on incoming changes.
    • Tightened workflow access to use only the minimum needed permissions.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

The secret-scan GitHub Actions workflow trigger was changed from pull_request to pull_request_target, explicit contents: read permissions were added, and the checkout step's ref was updated to use the pull request head SHA with a fallback to the current SHA.

Changes

Workflow Trigger Update

Layer / File(s) Summary
Update trigger, permissions, and checkout ref
.github/workflows/secret-scan.yml
Trigger changed to pull_request_target, contents: read permission added, and checkout ref set to PR head SHA with fallback.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

Suggested reviewers: arunSunnyKVS

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and matches the main change: fixing the fork PR Gitleaks workflow.
Description check ✅ Passed The description fills the key template sections and clearly explains the problem, solution, and changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/secret-scan.yml:
- Line 4: The secret-scan workflow is using pull_request_target while checking
out PR-head content, which exposes GITLEAKS_LICENSE to fork-controlled code.
Update the secret-scan workflow to avoid running the scan on untrusted PR-head
checkout under pull_request_target; split it into an unprivileged pull_request
or workflow_run flow, or ensure any secret-using step is executed only against
trusted repository content and not github.event.pull_request.head.sha. Use the
secret-scan workflow and its checkout/scan steps as the places to adjust.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 970851cf-4d9d-4577-9365-6b5a52cc0dd2

📥 Commits

Reviewing files that changed from the base of the PR and between 62b8ed1 and 946ab98.

📒 Files selected for processing (1)
  • .github/workflows/secret-scan.yml

Comment thread .github/workflows/secret-scan.yml
@jithin23-kv jithin23-kv merged commit e0be561 into KeyValueSoftwareSystems:master Jul 3, 2026
7 checks passed
@jithin23-kv jithin23-kv deleted the fix/gitleaks-i-fix-for-forks branch July 3, 2026 10:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants