@@ -48,28 +48,35 @@ jobs:
4848 with :
4949 cache : true
5050
51- - name : Resolve PR commit range
51+ - name : Resolve commit range
5252 id : range
5353 env :
5454 EVENT_NAME : ${{ github.event_name }}
5555 PR_BASE_SHA : ${{ github.event.pull_request.base.sha }}
5656 PR_HEAD_SHA : ${{ github.event.pull_request.head.sha }}
57+ MG_BASE_SHA : ${{ github.event.merge_group.base_sha }}
58+ MG_HEAD_SHA : ${{ github.event.merge_group.head_sha }}
5759 run : |
5860 set -euo pipefail
5961 case "$EVENT_NAME" in
6062 pull_request)
6163 # Scan exactly the commits this PR introduces.
6264 echo "range=${PR_BASE_SHA}..${PR_HEAD_SHA}" >> "$GITHUB_OUTPUT"
6365 ;;
64- merge_group|workflow_dispatch|*)
65- # In the merge queue (and on manual dispatch) there is no PR diff to
66- # scope to; scan the full reachable history as a backstop.
67- echo "range=" >> "$GITHUB_OUTPUT"
66+ merge_group)
67+ # Scan only the queued merge commits — not full history. An empty
68+ # range would walk every ref and fail on secrets on other branches
69+ # (#334 merge-queue ejection).
70+ echo "range=${MG_BASE_SHA}..${MG_HEAD_SHA}" >> "$GITHUB_OUTPUT"
71+ ;;
72+ workflow_dispatch|*)
73+ # Manual dispatch: scan HEAD only (safe default, not full history).
74+ echo "range=HEAD" >> "$GITHUB_OUTPUT"
6875 ;;
6976 esac
7077 echo "Resolved GITLEAKS_RANGE='$(tail -n1 "$GITHUB_OUTPUT" | cut -d= -f2-)'"
7178
72- - name : Secret scan (gitleaks, PR range)
79+ - name : Secret scan (gitleaks, range-scoped )
7380 env :
7481 GITLEAKS_RANGE : ${{ steps.range.outputs.range }}
7582 run : mise run security:secrets:range
0 commit comments