Skip to content

fix: revert gitleaks trigger from pull_request_target to pull_request#161

Merged
arunSunnyKVS merged 1 commit into
KeyValueSoftwareSystems:masterfrom
arunSunnyKVS:fix/gitleaks-pull-request-trigger
Jul 3, 2026
Merged

fix: revert gitleaks trigger from pull_request_target to pull_request#161
arunSunnyKVS merged 1 commit into
KeyValueSoftwareSystems:masterfrom
arunSunnyKVS:fix/gitleaks-pull-request-trigger

Conversation

@arunSunnyKVS

@arunSunnyKVS arunSunnyKVS commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Problem

The secret scan CI job fails with:

ERROR: The [pull_request_target] event is not yet supported

gitleaks/gitleaks-action@v2 only supports push, pull_request, workflow_dispatch, and schedule.

Solution

Revert the workflow trigger to pull_request and remove the explicit checkout ref override.

Changes

  • .github/workflows/secret-scan.yml

Issue

N/A

How to test

  1. Open a PR and confirm the gitleaks job runs successfully.
  2. Push to master and confirm the secret scan still runs on push.

Screenshots

N/A

Summary by CodeRabbit

  • Chores
    • Updated automated security-check handling for pull requests to use a safer default behavior.

gitleaks/gitleaks-action@v2 does not support the pull_request_target
event, causing the secret scan job to fail with:
"ERROR: The [pull_request_target] event is not yet supported"

Revert to pull_request which is both supported by gitleaks and the
safer trigger for scanning untrusted fork code. First-time fork
contributors will need a maintainer to approve the workflow run,
which is GitHub's intended behavior for external PRs.

Also removes the explicit ref override since pull_request already
checks out the correct merge commit by default.

Co-authored-by: Cursor <cursoragent@cursor.com>
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

The secret-scan GitHub Actions workflow changes its pull request trigger from pull_request_target to pull_request, and removes the explicit ref expression from the checkout step, causing the default checkout ref behavior to apply for PR events.

Changes

Secret Scan Workflow Changes

Layer / File(s) Summary
Workflow trigger and checkout ref update
.github/workflows/secret-scan.yml
Trigger changed from pull_request_target to pull_request; explicit ref removed from the checkout step.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed It clearly summarizes the main change: switching the secret scan workflow from pull_request_target to pull_request.
Description check ✅ Passed It includes the required template sections and clearly explains the problem, solution, changes, testing, issue, and screenshots.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@arunSunnyKVS arunSunnyKVS requested a review from jithin23-kv July 3, 2026 12:21
@arunSunnyKVS arunSunnyKVS merged commit ea7315e into KeyValueSoftwareSystems:master Jul 3, 2026
6 of 9 checks passed
@arunSunnyKVS arunSunnyKVS deleted the fix/gitleaks-pull-request-trigger branch July 3, 2026 12:23

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/secret-scan.yml (1)

21-24: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Handle fork PRs without GITLEAKS_LICENSE
Forked pull_request runs in this org-owned repo won’t receive GITLEAKS_LICENSE, so gitleaks/gitleaks-action@v2 will fail for external contributors. Gate this job to same-repo PRs or use a scan path that doesn’t depend on that secret here.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/secret-scan.yml around lines 21 - 24, The secret-scan
workflow currently runs gitleaks/gitleaks-action@v2 unconditionally and will
fail on forked pull_request runs because GITLEAKS_LICENSE is unavailable. Update
the secret-scan job in the workflow to only run for same-repo PRs, or switch the
scan step to a path that does not require GITLEAKS_LICENSE. Use the job/step
around gitleaks/gitleaks-action@v2 and the GITLEAKS_LICENSE env entry to locate
the change.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/secret-scan.yml:
- Around line 21-24: The secret-scan workflow currently runs
gitleaks/gitleaks-action@v2 unconditionally and will fail on forked pull_request
runs because GITLEAKS_LICENSE is unavailable. Update the secret-scan job in the
workflow to only run for same-repo PRs, or switch the scan step to a path that
does not require GITLEAKS_LICENSE. Use the job/step around
gitleaks/gitleaks-action@v2 and the GITLEAKS_LICENSE env entry to locate the
change.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5ff6d55f-b410-4f3a-9b58-61568ce34130

📥 Commits

Reviewing files that changed from the base of the PR and between ac468ea and 7108974.

📒 Files selected for processing (1)
  • .github/workflows/secret-scan.yml

arunSunnyKVS added a commit that referenced this pull request Jul 3, 2026
* docs: sync agents.md with execute phase-module refactor

* fix: revert gitleaks trigger from pull_request_target to pull_request (#161)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants