From 62d8b8ed32cb7f3c9fcc544febf4811f51e74961 Mon Sep 17 00:00:00 2001
From: bgagent <bgagent@noreply.github.com>
Date: Fri, 12 Jun 2026 17:34:50 -0500
Subject: [PATCH] fix(ci): scope gitleaks to merge_group commit range (#327)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Merge-queue runs of security-pr.yml left GITLEAKS_RANGE empty, which
triggered a full-history gitleaks scan and failed on secrets living on
other branches — ejecting otherwise-green PRs (e.g. #334) from the queue.

Use merge_group.base_sha..head_sha for queued merges and HEAD for manual
dispatch instead of scanning all reachable refs.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/security-pr.yml | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/security-pr.yml b/.github/workflows/security-pr.yml
index 89afa56c..c1f3938c 100644
--- a/.github/workflows/security-pr.yml
+++ b/.github/workflows/security-pr.yml
@@ -48,12 +48,14 @@ jobs:
         with:
           cache: true
 
-      - name: Resolve PR commit range
+      - name: Resolve commit range
         id: range
         env:
           EVENT_NAME: ${{ github.event_name }}
           PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
           PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          MG_BASE_SHA: ${{ github.event.merge_group.base_sha }}
+          MG_HEAD_SHA: ${{ github.event.merge_group.head_sha }}
         run: |
           set -euo pipefail
           case "$EVENT_NAME" in
@@ -61,15 +63,20 @@ jobs:
               # Scan exactly the commits this PR introduces.
               echo "range=${PR_BASE_SHA}..${PR_HEAD_SHA}" >> "$GITHUB_OUTPUT"
               ;;
-            merge_group|workflow_dispatch|*)
-              # In the merge queue (and on manual dispatch) there is no PR diff to
-              # scope to; scan the full reachable history as a backstop.
-              echo "range=" >> "$GITHUB_OUTPUT"
+            merge_group)
+              # Scan only the queued merge commits — not full history. An empty
+              # range would walk every ref and fail on secrets on other branches
+              # (#334 merge-queue ejection).
+              echo "range=${MG_BASE_SHA}..${MG_HEAD_SHA}" >> "$GITHUB_OUTPUT"
+              ;;
+            workflow_dispatch|*)
+              # Manual dispatch: scan HEAD only (safe default, not full history).
+              echo "range=HEAD" >> "$GITHUB_OUTPUT"
               ;;
           esac
           echo "Resolved GITLEAKS_RANGE='$(tail -n1 "$GITHUB_OUTPUT" | cut -d= -f2-)'"
 
-      - name: Secret scan (gitleaks, PR range)
+      - name: Secret scan (gitleaks, range-scoped)
         env:
           GITLEAKS_RANGE: ${{ steps.range.outputs.range }}
         run: mise run security:secrets:range