fix: revert gitleaks trigger from pull_request_target to pull_request#161
Conversation
gitleaks/gitleaks-action@v2 does not support the pull_request_target event, causing the secret scan job to fail with: "ERROR: The [pull_request_target] event is not yet supported" Revert to pull_request which is both supported by gitleaks and the safer trigger for scanning untrusted fork code. First-time fork contributors will need a maintainer to approve the workflow run, which is GitHub's intended behavior for external PRs. Also removes the explicit ref override since pull_request already checks out the correct merge commit by default. Co-authored-by: Cursor <cursoragent@cursor.com>
WalkthroughThe secret-scan GitHub Actions workflow changes its pull request trigger from ChangesSecret Scan Workflow Changes
Estimated code review effort: 1 (Trivial) | ~3 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
ea7315e
into
KeyValueSoftwareSystems:master
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/secret-scan.yml (1)
21-24: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick winHandle fork PRs without
GITLEAKS_LICENSE
Forkedpull_requestruns in this org-owned repo won’t receiveGITLEAKS_LICENSE, sogitleaks/gitleaks-action@v2will fail for external contributors. Gate this job to same-repo PRs or use a scan path that doesn’t depend on that secret here.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/secret-scan.yml around lines 21 - 24, The secret-scan workflow currently runs gitleaks/gitleaks-action@v2 unconditionally and will fail on forked pull_request runs because GITLEAKS_LICENSE is unavailable. Update the secret-scan job in the workflow to only run for same-repo PRs, or switch the scan step to a path that does not require GITLEAKS_LICENSE. Use the job/step around gitleaks/gitleaks-action@v2 and the GITLEAKS_LICENSE env entry to locate the change.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/secret-scan.yml:
- Around line 21-24: The secret-scan workflow currently runs
gitleaks/gitleaks-action@v2 unconditionally and will fail on forked pull_request
runs because GITLEAKS_LICENSE is unavailable. Update the secret-scan job in the
workflow to only run for same-repo PRs, or switch the scan step to a path that
does not require GITLEAKS_LICENSE. Use the job/step around
gitleaks/gitleaks-action@v2 and the GITLEAKS_LICENSE env entry to locate the
change.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 5ff6d55f-b410-4f3a-9b58-61568ce34130
📒 Files selected for processing (1)
.github/workflows/secret-scan.yml
* docs: sync agents.md with execute phase-module refactor * fix: revert gitleaks trigger from pull_request_target to pull_request (#161)
Problem
The secret scan CI job fails with:
gitleaks/gitleaks-action@v2only supportspush,pull_request,workflow_dispatch, andschedule.Solution
Revert the workflow trigger to
pull_requestand remove the explicit checkoutrefoverride.Changes
.github/workflows/secret-scan.ymlIssue
N/A
How to test
masterand confirm the secret scan still runs on push.Screenshots
N/A
Summary by CodeRabbit