From 074aae9788a7ecd75337aabb766694ea1ad501bb Mon Sep 17 00:00:00 2001
From: bgagent <scottschreckengaust@users.noreply.github.com>
Date: Fri, 12 Jun 2026 15:41:45 -0700
Subject: [PATCH] fix(ci): scope merge_group gitleaks scan to the merge-group
 commit range (#336)

The merge_group case of the range resolver set GITLEAKS_RANGE empty,
falling back to a full-history scan that re-reports the historical #313
aws-account-id findings and fails the required check for every PR in
the merge queue. Use the merge_group event's base_sha..head_sha so the
queue scans exactly the commits being merged, mirroring how build.yml
consumes the merge_group payload. workflow_dispatch keeps the
full-history backstop.

Closes #336
---
 .github/workflows/security-pr.yml | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/security-pr.yml b/.github/workflows/security-pr.yml
index 89afa56c..4bbf83a2 100644
--- a/.github/workflows/security-pr.yml
+++ b/.github/workflows/security-pr.yml
@@ -54,6 +54,8 @@ jobs:
           EVENT_NAME: ${{ github.event_name }}
           PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
           PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          MG_BASE_SHA: ${{ github.event.merge_group.base_sha }}
+          MG_HEAD_SHA: ${{ github.event.merge_group.head_sha }}
         run: |
           set -euo pipefail
           case "$EVENT_NAME" in
@@ -61,9 +63,15 @@ jobs:
               # Scan exactly the commits this PR introduces.
               echo "range=${PR_BASE_SHA}..${PR_HEAD_SHA}" >> "$GITHUB_OUTPUT"
               ;;
-            merge_group|workflow_dispatch|*)
-              # In the merge queue (and on manual dispatch) there is no PR diff to
-              # scope to; scan the full reachable history as a backstop.
+            merge_group)
+              # Scan exactly the commits this merge group introduces (#336).
+              # An empty range here would fall back to full history, which
+              # re-reports the historical #313 findings and deadlocks the queue.
+              echo "range=${MG_BASE_SHA}..${MG_HEAD_SHA}" >> "$GITHUB_OUTPUT"
+              ;;
+            workflow_dispatch|*)
+              # On manual dispatch there is no PR diff to scope to; scan the
+              # full reachable history as a backstop.
               echo "range=" >> "$GITHUB_OUTPUT"
               ;;
           esac