Fix secret scan timestamps (#190)

* Improve secret-scan timestamps

* comments

* more resiliency

* change always to not cancelled

Author: geoffg-sentry

.github/workflows/secret-scan.yml

@@ -60,11 +60,42 @@ jobs:
           fi
       - name: Send Alert to SIEM
         id: alert
+        env:
+          SIEM_WEBHOOK_URL: ${{ vars.SECRET_SCAN_SIEM_WEBHOOK_URL }}
+          SCAN_OUTCOME: ${{ steps.scan.outcome }}
+          REPO: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_CREATED_AT: ${{ github.event.pull_request.created_at }}
+          PR_ACTOR: ${{ github.event.pull_request.user.login }}
+          EVENT_ACTOR: ${{ github.actor }}
         run: |
-          if [[ -n "${{vars.SECRET_SCAN_SIEM_WEBHOOK_URL}}" ]]; then
-            curl "${{vars.SECRET_SCAN_SIEM_WEBHOOK_URL}}" \
-              --data '{"event":"github_secret_scanning", "status":"${{steps.scan.outcome}}", "createdAt":"${{ github.event.pull_request.created_at }}", "repo":"${{ github.repository }}","pull_request":"https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}","actor":"${{ github.event.pull_request.user.login }}"}'
+          if [[ -z "$SIEM_WEBHOOK_URL" ]]; then
+            exit 0
           fi
+
+          # On merge_group events there is no pull_request context, so PR-derived
+          # fields are empty. Use current timestamp as next best effort.
+          created_at="${PR_CREATED_AT:-$(date -u +%Y-%m-%dT%H:%M:%SZ)}"
+          actor="${PR_ACTOR:-$EVENT_ACTOR}"
+          if [[ -n "$PR_NUMBER" ]]; then
+            pull_request="https://github.com/${REPO}/pull/${PR_NUMBER}"
+          else
+            pull_request=""
+          fi
+
+          jq -n \
+            --arg event "github_secret_scanning" \
+            --arg status "$SCAN_OUTCOME" \
+            --arg createdAt "$created_at" \
+            --arg repo "$REPO" \
+            --arg pull_request "$pull_request" \
+            --arg actor "$actor" \
+            '{event: $event, status: $status, createdAt: $createdAt, repo: $repo, pull_request: $pull_request, actor: $actor}' \
+            | curl --fail --silent --show-error \
+                -H "Content-Type: application/json" \
+                --data @- \
+                "$SIEM_WEBHOOK_URL" \
+              || echo "::warning::SIEM alert failed (non-blocking)"
       - name: Fail workflow if secret detected
-        if: steps.scan.outcome != 'success'
+        if: ${{ !cancelled() && steps.scan.outcome != 'success' }}
         run: exit 1