fix(ci): scope gitleaks to changed commits

NubsCarson · NubsCarson · commit b2577981b439 · 2026-05-22T12:08:54.000Z
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -39,12 +39,26 @@ jobs:
           gitleaks version
 
       - name: Run gitleaks
-        # Scan the full working tree. Returns non-zero on any finding so the
-        # job fails the build the same way the wrapper action did.
+        # Scan only the PR/push commit range. The checkout still fetches full
+        # history above so these ranges resolve, but pre-existing historical
+        # findings do not block unrelated source-only PRs.
         run: |
+          set -euo pipefail
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            log_opts="${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}"
+          else
+            before="${{ github.event.before }}"
+            if [[ "$before" =~ ^0+$ ]]; then
+              log_opts="${{ github.sha }}^..${{ github.sha }}"
+            else
+              log_opts="${before}..${{ github.sha }}"
+            fi
+          fi
+          echo "Scanning gitleaks range: ${log_opts}"
           gitleaks detect \
             --config .gitleaks.toml \
             --source . \
+            --log-opts "$log_opts" \
             --verbose \
             --redact \
             --report-format sarif \
